1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-24 12:35:25 +01:00

Resolved an issue where the API required users to be organization owners when accessing the members page (#4534)

This commit is contained in:
Conner Turnbull 2024-07-19 10:24:48 -04:00 committed by GitHub
parent 81477303e3
commit 9b9f202f79
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 10 additions and 4 deletions

View File

@ -20,7 +20,7 @@ public class OrganizationBillingController(
[HttpGet("metadata")]
public async Task<IResult> GetMetadataAsync([FromRoute] Guid organizationId)
{
if (!await currentContext.ViewBillingHistory(organizationId))
if (!await currentContext.AccessMembersTab(organizationId))
{
return TypedResults.Unauthorized();
}

View File

@ -383,6 +383,11 @@ public class CurrentContext : ICurrentContext
return await EditSubscription(orgId);
}
public async Task<bool> AccessMembersTab(Guid orgId)
{
return await OrganizationAdmin(orgId) || await ManageUsers(orgId) || await ManageResetPassword(orgId);
}
public bool ProviderProviderAdmin(Guid providerId)
{
return Providers?.Any(o => o.Id == providerId && o.Type == ProviderUserType.ProviderAdmin) ?? false;

View File

@ -48,6 +48,7 @@ public interface ICurrentContext
Task<bool> ManagePolicies(Guid orgId);
Task<bool> ManageSso(Guid orgId);
Task<bool> ManageUsers(Guid orgId);
Task<bool> AccessMembersTab(Guid orgId);
Task<bool> ManageScim(Guid orgId);
Task<bool> ManageResetPassword(Guid orgId);
Task<bool> ViewSubscription(Guid orgId);

View File

@ -23,7 +23,7 @@ public class OrganizationBillingControllerTests
Guid organizationId,
SutProvider<OrganizationBillingController> sutProvider)
{
sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(false);
sutProvider.GetDependency<ICurrentContext>().AccessMembersTab(organizationId).Returns(false);
var result = await sutProvider.Sut.GetMetadataAsync(organizationId);
@ -35,7 +35,7 @@ public class OrganizationBillingControllerTests
Guid organizationId,
SutProvider<OrganizationBillingController> sutProvider)
{
sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(true);
sutProvider.GetDependency<ICurrentContext>().AccessMembersTab(organizationId).Returns(true);
sutProvider.GetDependency<IOrganizationBillingService>().GetMetadata(organizationId).Returns((OrganizationMetadataDTO)null);
var result = await sutProvider.Sut.GetMetadataAsync(organizationId);
@ -48,7 +48,7 @@ public class OrganizationBillingControllerTests
Guid organizationId,
SutProvider<OrganizationBillingController> sutProvider)
{
sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(true);
sutProvider.GetDependency<ICurrentContext>().AccessMembersTab(organizationId).Returns(true);
sutProvider.GetDependency<IOrganizationBillingService>().GetMetadata(organizationId)
.Returns(new OrganizationMetadataDTO(true));