[AC-1144] Warn admins when removing or revoking users without master password (#2953)

* [AC-1144] Modified OrganizationUserUserDetails queries to include value for 'HasMasterPassword' property

* [AC-1144] Added 'HasMasterPassword' property to ProviderUserUserDetailsView

* [AC-1144] Added IProviderUserRepository.GetDetailsByIdAsync to get the details for a given ProviderUser.Id

* [AC-1144] Changed ProviderUsersController.Get to use ProviderUserRepository.GetDetailsByIdAsync

* [AC-1144] Modified OrganizationUsersController.Get to user OrganizationUserRepository.GetDetailsByIdWithCollectionsAsync to output HasMasterPassword value

* [AC-1144] Reverted changes for ProviderUser

* [AC-1144] Removed line break

src/Api/Controllers/OrganizationUsersController.cs

@@ -51,7 +51,7 @@ public class OrganizationUsersController : Controller
     [HttpGet("{id}")]
     public async Task<OrganizationUserDetailsResponseModel> Get(string id, bool includeGroups = false)
     {
-        var organizationUser = await _organizationUserRepository.GetByIdWithCollectionsAsync(new Guid(id));
+        var organizationUser = await _organizationUserRepository.GetDetailsByIdWithCollectionsAsync(new Guid(id));
         if (organizationUser == null || !await _currentContext.ManageUsers(organizationUser.Item1.OrganizationId))
         {
             throw new NotFoundException();

src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs

@@ -47,6 +47,7 @@ public class OrganizationUserResponseModel : ResponseModel
         Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(organizationUser.Permissions);
         ResetPasswordEnrolled = !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
         UsesKeyConnector = organizationUser.UsesKeyConnector;
+        HasMasterPassword = organizationUser.HasMasterPassword;
     }
 
     public string Id { get; set; }
@@ -59,6 +60,7 @@ public class OrganizationUserResponseModel : ResponseModel
     public Permissions Permissions { get; set; }
     public bool ResetPasswordEnrolled { get; set; }
     public bool UsesKeyConnector { get; set; }
+    public bool HasMasterPassword { get; set; }
 }
 
 public class OrganizationUserDetailsResponseModel : OrganizationUserResponseModel
@@ -70,6 +72,13 @@ public class OrganizationUserDetailsResponseModel : OrganizationUserResponseMode
         Collections = collections.Select(c => new SelectionReadOnlyResponseModel(c));
     }
 
+    public OrganizationUserDetailsResponseModel(OrganizationUserUserDetails organizationUser,
+        IEnumerable<CollectionAccessSelection> collections)
+        : base(organizationUser, "organizationUserDetails")
+    {
+        Collections = collections.Select(c => new SelectionReadOnlyResponseModel(c));
+    }
+
     public IEnumerable<SelectionReadOnlyResponseModel> Collections { get; set; }
 
     [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]

src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserUserDetails.cs

@@ -26,6 +26,7 @@ public class OrganizationUserUserDetails : IExternal, ITwoFactorProvidersUser
     public string Permissions { get; set; }
     public string ResetPasswordKey { get; set; }
     public bool UsesKeyConnector { get; set; }
+    public bool HasMasterPassword { get; set; }
 
     public ICollection<Guid> Groups { get; set; } = new List<Guid>();
     public ICollection<CollectionAccessSelection> Collections { get; set; } = new List<CollectionAccessSelection>();

src/Infrastructure.EntityFramework/Repositories/Queries/OrganizationUserUserViewQuery.cs

@@ -31,6 +31,7 @@ public class OrganizationUserUserDetailsViewQuery : IQuery<OrganizationUserUserD
             ResetPasswordKey = x.ou.ResetPasswordKey,
             UsesKeyConnector = x.u != null && x.u.UsesKeyConnector,
             AccessSecretsManager = x.ou.AccessSecretsManager,
+            HasMasterPassword = x.u != null && !string.IsNullOrWhiteSpace(x.u.MasterPassword)
         });
     }
 }

src/Sql/dbo/Views/OrganizationUserUserDetailsView.sql

@@ -17,7 +17,8 @@ SELECT
     SU.[ExternalId] SsoExternalId,
     OU.[Permissions],
     OU.[ResetPasswordKey],
-    U.[UsesKeyConnector]
+    U.[UsesKeyConnector],
+    CASE WHEN U.[MasterPassword] IS NOT NULL THEN 1 ELSE 0 END AS HasMasterPassword
 FROM
     [dbo].[OrganizationUser] OU
 LEFT JOIN

util/Migrator/DbScripts/2023-05-18_00_UserHasMasterPassword.sql

@@ -0,0 +1,46 @@
+CREATE OR ALTER VIEW [dbo].[OrganizationUserUserDetailsView]
+AS
+SELECT
+    OU.[Id],
+    OU.[UserId],
+    OU.[OrganizationId],
+    U.[Name],
+    ISNULL(U.[Email], OU.[Email]) Email,
+    U.[AvatarColor],
+    U.[TwoFactorProviders],
+    U.[Premium],
+    OU.[Status],
+    OU.[Type],
+    OU.[AccessAll],
+    OU.[AccessSecretsManager],
+    OU.[ExternalId],
+    SU.[ExternalId] SsoExternalId,
+    OU.[Permissions],
+    OU.[ResetPasswordKey],
+    U.[UsesKeyConnector],
+    CASE WHEN U.[MasterPassword] IS NOT NULL THEN 1 ELSE 0 END AS HasMasterPassword
+FROM
+    [dbo].[OrganizationUser] OU
+LEFT JOIN
+    [dbo].[User] U ON U.[Id] = OU.[UserId]
+LEFT JOIN
+    [dbo].[SsoUser] SU ON SU.[UserId] = OU.[UserId] AND SU.[OrganizationId] = OU.[OrganizationId]
+GO
+
+IF OBJECT_ID('[dbo].[OrganizationUserUserDetails_ReadByOrganizationId]') IS NOT NULL
+BEGIN
+    EXECUTE sp_refreshsqlmodule N'[dbo].[OrganizationUserUserDetails_ReadByOrganizationId]';
+END
+GO
+
+IF OBJECT_ID('[dbo].[OrganizationUser_ReadByMinimumRole]') IS NOT NULL
+BEGIN
+    EXECUTE sp_refreshsqlmodule N'[dbo].[OrganizationUser_ReadByMinimumRole]';
+END
+GO
+
+IF OBJECT_ID('[dbo].[OrganizationUserUserDetails_ReadById]') IS NOT NULL
+BEGIN
+    EXECUTE sp_refreshsqlmodule N'[dbo].[OrganizationUserUserDetails_ReadById]';
+END
+GO