diff --git a/src/Api/AdminConsole/Controllers/GroupsController.cs b/src/Api/AdminConsole/Controllers/GroupsController.cs index cdbbcf620..e0e057ff8 100644 --- a/src/Api/AdminConsole/Controllers/GroupsController.cs +++ b/src/Api/AdminConsole/Controllers/GroupsController.cs @@ -200,7 +200,8 @@ public class GroupsController : Controller var userId = _userService.GetProperUserId(User).Value; var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(orgId, userId); var currentGroupUsers = await _groupRepository.GetManyUserIdsByIdAsync(id); - if (!currentGroupUsers.Contains(organizationUser.Id) && model.Users.Contains(organizationUser.Id)) + // OrganizationUser may be null if the current user is a provider + if (organizationUser != null && !currentGroupUsers.Contains(organizationUser.Id) && model.Users.Contains(organizationUser.Id)) { throw new BadRequestException("You cannot add yourself to groups."); } diff --git a/test/Api.Test/AdminConsole/Controllers/GroupsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/GroupsControllerTests.cs index 161f48f70..526838f36 100644 --- a/test/Api.Test/AdminConsole/Controllers/GroupsControllerTests.cs +++ b/test/Api.Test/AdminConsole/Controllers/GroupsControllerTests.cs @@ -260,6 +260,54 @@ public class GroupsControllerTests Assert.Equal(groupRequestModel.AccessAll, response.AccessAll); } + [Theory] + [BitAutoData] + public async Task Put_UpdateMembers_AdminsCannotAccessAllCollections_ProviderUser_Success(Organization organization, Group group, + GroupRequestModel groupRequestModel, List currentGroupUsers, Guid savingUserId, + SutProvider sutProvider) + { + group.OrganizationId = organization.Id; + + // Enable FC and v1 + sutProvider.GetDependency().GetOrganizationAbilityAsync(organization.Id).Returns( + new OrganizationAbility + { + Id = organization.Id, + AllowAdminAccessToAllCollectionItems = false, + FlexibleCollections = true + }); + sutProvider.GetDependency().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true); + + sutProvider.GetDependency().GetByIdAsync(organization.Id).Returns(organization); + sutProvider.GetDependency().GetByIdWithCollectionsAsync(group.Id) + .Returns(new Tuple>(group, new List())); + sutProvider.GetDependency().ManageGroups(organization.Id).Returns(true); + sutProvider.GetDependency() + .GetByOrganizationAsync(organization.Id, Arg.Any()) + .Returns((OrganizationUser)null); // Provider is not an OrganizationUser, so it will always return null + sutProvider.GetDependency().GetProperUserId(Arg.Any()) + .Returns(savingUserId); + sutProvider.GetDependency().GetManyUserIdsByIdAsync(group.Id) + .Returns(currentGroupUsers); + + // Make collection authorization pass, it's not being tested here + groupRequestModel.Collections = Array.Empty(); + + var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel); + + await sutProvider.GetDependency().Received(1).ManageGroups(organization.Id); + await sutProvider.GetDependency().Received(1).UpdateGroupAsync( + Arg.Is(g => + g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name && + g.AccessAll == groupRequestModel.AccessAll), + Arg.Is(o => o.Id == organization.Id), + Arg.Any>(), + Arg.Any>()); + Assert.Equal(groupRequestModel.Name, response.Name); + Assert.Equal(organization.Id, response.OrganizationId); + Assert.Equal(groupRequestModel.AccessAll, response.AccessAll); + } + [Theory] [BitAutoData] public async Task Put_UpdateCollections_OnlyUpdatesCollectionsTheSavingUserCanUpdate(GroupRequestModel groupRequestModel,