[AC-1389] [AC-1919] Only require CanManage permission when admins cannot access all items (#3530)

* move this error behind the Flexible Collections v1 flag instead of MVP * only enforce this requirement if organization.allowAdminAccessToAllCollectionItems is false --------- Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
2024-11-21 12:05:42 +01:00 · 2024-01-04 20:56:59 -05:00 · 2024-01-04 20:56:59 -05:00 · c553ec6aa0
commit c553ec6aa0
parent 061253e428
2 changed files with 8 additions and 7 deletions
--- a/src/Core/Services/Implementations/CollectionService.cs
+++ b/src/Core/Services/Implementations/CollectionService.cs
@ -43,9 +43,6 @@ public class CollectionService : ICollectionService
        _featureService = featureService;
    }

-    private bool UseFlexibleCollections =>
-        _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
-
    public async Task SaveAsync(Collection collection, IEnumerable<CollectionAccessSelection> groups = null,
        IEnumerable<CollectionAccessSelection> users = null)
    {
@ -59,11 +56,11 @@ public class CollectionService : ICollectionService
        var usersList = users?.ToList();

        // If using Flexible Collections - a collection should always have someone with Can Manage permissions
-        if (UseFlexibleCollections)
+        if (_featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1, _currentContext))
        {
            var groupHasManageAccess = groupsList?.Any(g => g.Manage) ?? false;
            var userHasManageAccess = usersList?.Any(u => u.Manage) ?? false;
-            if (!groupHasManageAccess && !userHasManageAccess)
+            if (!groupHasManageAccess && !userHasManageAccess && !org.AllowAdminAccessToAllCollectionItems)
            {
                throw new BadRequestException(
                    "At least one member or group must have can manage permission.");
@ -125,7 +122,10 @@ public class CollectionService : ICollectionService
        }
        else
        {
-            var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value, UseFlexibleCollections);
+            var collections = await _collectionRepository.GetManyByUserIdAsync(
+                _currentContext.UserId.Value,
+                _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext)
+            );
            orgCollections = collections.Where(c => c.OrganizationId == organizationId);
        }

--- a/test/Core.Test/Services/CollectionServiceTests.cs
+++ b/test/Core.Test/Services/CollectionServiceTests.cs
@ -114,8 +114,9 @@ public class CollectionServiceTest
        collection.Id = default;
        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.FlexibleCollections, Arg.Any<ICurrentContext>(), Arg.Any<bool>())
+            .IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1, Arg.Any<ICurrentContext>(), Arg.Any<bool>())
            .Returns(true);
+        organization.AllowAdminAccessToAllCollectionItems = false;

        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SaveAsync(collection, null, users));
        Assert.Contains("At least one member or group must have can manage permission.", ex.Message);