mirror of
https://github.com/bitwarden/server.git
synced 2024-12-22 16:57:36 +01:00
[AC-2602] Fix error when provider edits existing group (#4086)
* Add null check to groups endpoint - providers may not be OrgUsers
This commit is contained in:
parent
fd173e81b6
commit
e619508f3f
@ -200,7 +200,8 @@ public class GroupsController : Controller
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(orgId, userId);
|
||||
var currentGroupUsers = await _groupRepository.GetManyUserIdsByIdAsync(id);
|
||||
if (!currentGroupUsers.Contains(organizationUser.Id) && model.Users.Contains(organizationUser.Id))
|
||||
// OrganizationUser may be null if the current user is a provider
|
||||
if (organizationUser != null && !currentGroupUsers.Contains(organizationUser.Id) && model.Users.Contains(organizationUser.Id))
|
||||
{
|
||||
throw new BadRequestException("You cannot add yourself to groups.");
|
||||
}
|
||||
|
@ -260,6 +260,54 @@ public class GroupsControllerTests
|
||||
Assert.Equal(groupRequestModel.AccessAll, response.AccessAll);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateMembers_AdminsCannotAccessAllCollections_ProviderUser_Success(Organization organization, Group group,
|
||||
GroupRequestModel groupRequestModel, List<Guid> currentGroupUsers, Guid savingUserId,
|
||||
SutProvider<GroupsController> sutProvider)
|
||||
{
|
||||
group.OrganizationId = organization.Id;
|
||||
|
||||
// Enable FC and v1
|
||||
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
|
||||
new OrganizationAbility
|
||||
{
|
||||
Id = organization.Id,
|
||||
AllowAdminAccessToAllCollectionItems = false,
|
||||
FlexibleCollections = true
|
||||
});
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
|
||||
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
|
||||
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, new List<CollectionAccessSelection>()));
|
||||
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByOrganizationAsync(organization.Id, Arg.Any<Guid>())
|
||||
.Returns((OrganizationUser)null); // Provider is not an OrganizationUser, so it will always return null
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>())
|
||||
.Returns(savingUserId);
|
||||
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id)
|
||||
.Returns(currentGroupUsers);
|
||||
|
||||
// Make collection authorization pass, it's not being tested here
|
||||
groupRequestModel.Collections = Array.Empty<SelectionReadOnlyRequestModel>();
|
||||
|
||||
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
|
||||
|
||||
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
|
||||
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
|
||||
Arg.Is<Group>(g =>
|
||||
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name &&
|
||||
g.AccessAll == groupRequestModel.AccessAll),
|
||||
Arg.Is<Organization>(o => o.Id == organization.Id),
|
||||
Arg.Any<ICollection<CollectionAccessSelection>>(),
|
||||
Arg.Any<IEnumerable<Guid>>());
|
||||
Assert.Equal(groupRequestModel.Name, response.Name);
|
||||
Assert.Equal(organization.Id, response.OrganizationId);
|
||||
Assert.Equal(groupRequestModel.AccessAll, response.AccessAll);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_OnlyUpdatesCollectionsTheSavingUserCanUpdate(GroupRequestModel groupRequestModel,
|
||||
|
Loading…
Reference in New Issue
Block a user