[AC-2604] Fix aggregation of CollectionGroup permissions (#4097)

* Fix aggregation of CollectionGroup permissions - use MAX on Manage column instead of MIN

src/Infrastructure.EntityFramework/Repositories/CollectionRepository.cs

@@ -340,7 +340,7 @@ public class CollectionRepository : Repository<Core.Entities.Collection, Collect
                         ExternalId = collectionGroup.Key.ExternalId,
                         ReadOnly = Convert.ToBoolean(collectionGroup.Min(c => Convert.ToInt32(c.ReadOnly))),
                         HidePasswords = Convert.ToBoolean(collectionGroup.Min(c => Convert.ToInt32(c.HidePasswords))),
-                        Manage = Convert.ToBoolean(collectionGroup.Min(c => Convert.ToInt32(c.Manage))),
+                        Manage = Convert.ToBoolean(collectionGroup.Max(c => Convert.ToInt32(c.Manage))),
                     })
                     .ToList();
             }
@@ -365,7 +365,7 @@ public class CollectionRepository : Repository<Core.Entities.Collection, Collect
                               ExternalId = collectionGroup.Key.ExternalId,
                               ReadOnly = Convert.ToBoolean(collectionGroup.Min(c => Convert.ToInt32(c.ReadOnly))),
                               HidePasswords = Convert.ToBoolean(collectionGroup.Min(c => Convert.ToInt32(c.HidePasswords))),
-                              Manage = Convert.ToBoolean(collectionGroup.Min(c => Convert.ToInt32(c.Manage))),
+                              Manage = Convert.ToBoolean(collectionGroup.Max(c => Convert.ToInt32(c.Manage))),
                           }).ToListAsync();
         }
     }

src/Sql/dbo/Stored Procedures/Collection_ReadByIdUserId.sql

@@ -13,7 +13,7 @@ BEGIN
         ExternalId,
         MIN([ReadOnly]) AS [ReadOnly],
         MIN([HidePasswords]) AS [HidePasswords],
-        MIN([Manage]) AS [Manage]
+        MAX([Manage]) AS [Manage]
     FROM
         [dbo].[UserCollectionDetails](@UserId)
     WHERE

src/Sql/dbo/Stored Procedures/Collection_ReadByIdUserId_V2.sql

@@ -13,7 +13,7 @@ BEGIN
         ExternalId,
         MIN([ReadOnly]) AS [ReadOnly],
         MIN([HidePasswords]) AS [HidePasswords],
-        MIN([Manage]) AS [Manage]
+        MAX([Manage]) AS [Manage]
     FROM
         [dbo].[UserCollectionDetails_V2](@UserId)
     WHERE

src/Sql/dbo/Stored Procedures/Collection_ReadByUserId.sql

@@ -13,7 +13,7 @@ BEGIN
         ExternalId,
         MIN([ReadOnly]) AS [ReadOnly],
         MIN([HidePasswords]) AS [HidePasswords],
-        MIN([Manage]) AS [Manage]
+        MAX([Manage]) AS [Manage]
     FROM
         [dbo].[UserCollectionDetails](@UserId)
     GROUP BY

src/Sql/dbo/Stored Procedures/Collection_ReadByUserId_V2.sql

@@ -13,7 +13,7 @@ BEGIN
         ExternalId,
         MIN([ReadOnly]) AS [ReadOnly],
         MIN([HidePasswords]) AS [HidePasswords],
-        MIN([Manage]) AS [Manage]
+        MAX([Manage]) AS [Manage]
     FROM
         [dbo].[UserCollectionDetails_V2](@UserId)
     GROUP BY

util/Migrator/DbScripts/2024-05-20_00_FixManageAggregation.sql

@@ -0,0 +1,124 @@
+-- We were aggregating CollectionGroup permissions using MIN([Manage]) instead of MAX.
+-- If the user is a member of multiple groups with overlapping collection permissions, they should get the most
+-- generous permissions, not the least. This is consistent with ReadOnly and HidePasswords columns.
+-- Updating both current and V2 sprocs out of caution and because they still need to be reviewed/cleaned up.
+
+-- Collection_ReadByIdUserId
+CREATE OR ALTER PROCEDURE [dbo].[Collection_ReadByIdUserId]
+    @Id UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+    SELECT
+        Id,
+        OrganizationId,
+        [Name],
+        CreationDate,
+        RevisionDate,
+        ExternalId,
+        MIN([ReadOnly]) AS [ReadOnly],
+        MIN([HidePasswords]) AS [HidePasswords],
+        MAX([Manage]) AS [Manage]
+    FROM
+        [dbo].[UserCollectionDetails](@UserId)
+    WHERE
+        [Id] = @Id
+    GROUP BY
+        Id,
+        OrganizationId,
+        [Name],
+        CreationDate,
+        RevisionDate,
+        ExternalId
+END
+GO;
+
+-- Collection_ReadByIdUserId_V2
+CREATE OR ALTER PROCEDURE [dbo].[Collection_ReadByIdUserId_V2]
+    @Id UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+    SELECT
+        Id,
+        OrganizationId,
+        [Name],
+        CreationDate,
+        RevisionDate,
+        ExternalId,
+        MIN([ReadOnly]) AS [ReadOnly],
+        MIN([HidePasswords]) AS [HidePasswords],
+        MAX([Manage]) AS [Manage]
+    FROM
+        [dbo].[UserCollectionDetails_V2](@UserId)
+    WHERE
+        [Id] = @Id
+    GROUP BY
+        Id,
+        OrganizationId,
+        [Name],
+        CreationDate,
+        RevisionDate,
+        ExternalId
+END
+GO;
+
+-- Collection_ReadByUserId
+CREATE OR ALTER PROCEDURE [dbo].[Collection_ReadByUserId]
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        Id,
+        OrganizationId,
+        [Name],
+        CreationDate,
+        RevisionDate,
+        ExternalId,
+        MIN([ReadOnly]) AS [ReadOnly],
+        MIN([HidePasswords]) AS [HidePasswords],
+        MAX([Manage]) AS [Manage]
+    FROM
+        [dbo].[UserCollectionDetails](@UserId)
+    GROUP BY
+        Id,
+        OrganizationId,
+        [Name],
+        CreationDate,
+        RevisionDate,
+        ExternalId
+END
+GO;
+
+-- Collection_ReadByUserId_V2
+CREATE OR ALTER PROCEDURE [dbo].[Collection_ReadByUserId_V2]
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        Id,
+        OrganizationId,
+        [Name],
+        CreationDate,
+        RevisionDate,
+        ExternalId,
+        MIN([ReadOnly]) AS [ReadOnly],
+        MIN([HidePasswords]) AS [HidePasswords],
+        MAX([Manage]) AS [Manage]
+    FROM
+        [dbo].[UserCollectionDetails_V2](@UserId)
+    GROUP BY
+        Id,
+        OrganizationId,
+        [Name],
+        CreationDate,
+        RevisionDate,
+        ExternalId
+END
+GO;