From 9b9f202f79d00c09ef868e44fcb362da4071f71c Mon Sep 17 00:00:00 2001 From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com> Date: Fri, 19 Jul 2024 10:24:48 -0400 Subject: [PATCH] Resolved an issue where the API required users to be organization owners when accessing the members page (#4534) --- .../Billing/Controllers/OrganizationBillingController.cs | 2 +- src/Core/Context/CurrentContext.cs | 5 +++++ src/Core/Context/ICurrentContext.cs | 1 + .../Controllers/OrganizationBillingControllerTests.cs | 6 +++--- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/Api/Billing/Controllers/OrganizationBillingController.cs b/src/Api/Billing/Controllers/OrganizationBillingController.cs index 840f012ba..47c4ef68f 100644 --- a/src/Api/Billing/Controllers/OrganizationBillingController.cs +++ b/src/Api/Billing/Controllers/OrganizationBillingController.cs @@ -20,7 +20,7 @@ public class OrganizationBillingController( [HttpGet("metadata")] public async Task GetMetadataAsync([FromRoute] Guid organizationId) { - if (!await currentContext.ViewBillingHistory(organizationId)) + if (!await currentContext.AccessMembersTab(organizationId)) { return TypedResults.Unauthorized(); } diff --git a/src/Core/Context/CurrentContext.cs b/src/Core/Context/CurrentContext.cs index 4458b8da6..20413068e 100644 --- a/src/Core/Context/CurrentContext.cs +++ b/src/Core/Context/CurrentContext.cs @@ -383,6 +383,11 @@ public class CurrentContext : ICurrentContext return await EditSubscription(orgId); } + public async Task AccessMembersTab(Guid orgId) + { + return await OrganizationAdmin(orgId) || await ManageUsers(orgId) || await ManageResetPassword(orgId); + } + public bool ProviderProviderAdmin(Guid providerId) { return Providers?.Any(o => o.Id == providerId && o.Type == ProviderUserType.ProviderAdmin) ?? false; diff --git a/src/Core/Context/ICurrentContext.cs b/src/Core/Context/ICurrentContext.cs index fcf4f6847..e41c660d4 100644 --- a/src/Core/Context/ICurrentContext.cs +++ b/src/Core/Context/ICurrentContext.cs @@ -48,6 +48,7 @@ public interface ICurrentContext Task ManagePolicies(Guid orgId); Task ManageSso(Guid orgId); Task ManageUsers(Guid orgId); + Task AccessMembersTab(Guid orgId); Task ManageScim(Guid orgId); Task ManageResetPassword(Guid orgId); Task ViewSubscription(Guid orgId); diff --git a/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs b/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs index fd5c8cdd3..7b8b00462 100644 --- a/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs +++ b/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs @@ -23,7 +23,7 @@ public class OrganizationBillingControllerTests Guid organizationId, SutProvider sutProvider) { - sutProvider.GetDependency().ViewBillingHistory(organizationId).Returns(false); + sutProvider.GetDependency().AccessMembersTab(organizationId).Returns(false); var result = await sutProvider.Sut.GetMetadataAsync(organizationId); @@ -35,7 +35,7 @@ public class OrganizationBillingControllerTests Guid organizationId, SutProvider sutProvider) { - sutProvider.GetDependency().ViewBillingHistory(organizationId).Returns(true); + sutProvider.GetDependency().AccessMembersTab(organizationId).Returns(true); sutProvider.GetDependency().GetMetadata(organizationId).Returns((OrganizationMetadataDTO)null); var result = await sutProvider.Sut.GetMetadataAsync(organizationId); @@ -48,7 +48,7 @@ public class OrganizationBillingControllerTests Guid organizationId, SutProvider sutProvider) { - sutProvider.GetDependency().ViewBillingHistory(organizationId).Returns(true); + sutProvider.GetDependency().AccessMembersTab(organizationId).Returns(true); sutProvider.GetDependency().GetMetadata(organizationId) .Returns(new OrganizationMetadataDTO(true));