bitwarden · eliykat · May 1, 2024 · Mar 22, 2024 · Mar 28, 2024 · Apr 4, 2024
@@ -2,6 +2,7 @@
 using Bit.Api.AdminConsole.Models.Response;
 using Bit.Api.Models.Response;
 using Bit.Api.Utilities;
+using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Api.Vault.AuthorizationHandlers.Groups;
 using Bit.Core;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
@@ -32,6 +33,7 @@
     private readonly IUserService _userService;
     private readonly IFeatureService _featureService;
     private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly ICollectionRepository _collectionRepository;
 
     public GroupsController(
         IGroupRepository groupRepository,
@@ -45,7 +47,8 @@
         IApplicationCacheService applicationCacheService,
         IUserService userService,
         IFeatureService featureService,
-        IOrganizationUserRepository organizationUserRepository)
+        IOrganizationUserRepository organizationUserRepository,
+        ICollectionRepository collectionRepository)
     {
         _groupRepository = groupRepository;
         _groupService = groupService;
@@ -59,6 +62,7 @@
         _userService = userService;
         _featureService = featureService;
         _organizationUserRepository = organizationUserRepository;
+        _collectionRepository = collectionRepository;
     }
 
     [HttpGet("{id}")]
@@ -125,16 +129,28 @@
     }
 
     [HttpPost("")]
-    public async Task<GroupResponseModel> Post(string orgId, [FromBody] GroupRequestModel model)
+    public async Task<GroupResponseModel> Post(Guid orgId, [FromBody] GroupRequestModel model)
     {
-        var orgIdGuid = new Guid(orgId);
-        if (!await _currentContext.ManageGroups(orgIdGuid))
+        if (!await _currentContext.ManageGroups(orgId))
         {
             throw new NotFoundException();
         }
 
-        var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
-        var group = model.ToGroup(orgIdGuid);
+        // Flexible Collections - check the user has permission to grant access to the collections for the new group
+        if (await FlexibleCollectionsIsEnabledAsync(orgId) && _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1))
+        {
+            var collections = await _collectionRepository.GetManyByManyIdsAsync(model.Collections.Select(a => a.Id));
+            var authorized =
+                (await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.ModifyGroupAccess))
+                .Succeeded;
+            if (!authorized)
+            {
+                throw new NotFoundException("You are not authorized to grant access to these collections.");
+            }
+        }
+
+        var organization = await _organizationRepository.GetByIdAsync(orgId);
+        var group = model.ToGroup(orgId);
         await _createGroupCommand.CreateGroupAsync(group, organization, model.Collections?.Select(c => c.ToSelectionReadOnly()).ToList(), model.Users);
 
         return new GroupResponseModel(group);
@@ -144,16 +160,40 @@
     [HttpPost("{id}")]
     public async Task<GroupResponseModel> Put(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
     {
+        if (await FlexibleCollectionsIsEnabledAsync(orgId) && _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1))
+        {
+            // Use new Flexible Collections v1 logic
+            return await Put_vNext(orgId, id, model);
+        }
+
+        // Pre-Flexible Collections v1 logic follows
         var group = await _groupRepository.GetByIdAsync(id);
         if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
         {
             throw new NotFoundException();
         }
 
-        // Flexible Collections v1 - a user may not be able to add themselves to a group
+        var organization = await _organizationRepository.GetByIdAsync(orgId);
+
+        await _updateGroupCommand.UpdateGroupAsync(model.ToGroup(group), organization,
+            model.Collections.Select(c => c.ToSelectionReadOnly()).ToList(), model.Users);
+        return new GroupResponseModel(group);
+    }
+
+    /// <summary>
+    /// Put logic for Flexible Collections v1
+    /// </summary>
+    private async Task<GroupResponseModel> Put_vNext(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
+    {
+        var (group, currentAccess) = await _groupRepository.GetByIdWithCollectionsAsync(id);
+        if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
+        {
+            throw new NotFoundException();
+        }
+
+        // Check whether the user is permitted to add themselves to the group
         var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
-        var flexibleCollectionsV1Enabled = _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1);
-        if (flexibleCollectionsV1Enabled && orgAbility.FlexibleCollections && !orgAbility.AllowAdminAccessToAllCollectionItems)
+        if (!orgAbility.AllowAdminAccessToAllCollectionItems)
         {
             var userId = _userService.GetProperUserId(User).Value;
             var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(orgId, userId);
@@ -164,9 +204,38 @@
             }
         }
 
+        // The client only sends collections that the saving user has permissions to edit.
+        // On the server side, we need to (1) confirm this and (2) concat these with the collections that the user
+        // can't edit before saving to the database.
+        var currentCollections = await _collectionRepository
+            .GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id));
+
+        var readonlyCollectionIds = new HashSet<Guid>();
+        foreach (var collection in currentCollections)
+        {
+            if (!(await _authorizationService.AuthorizeAsync(User, collection, BulkCollectionOperations.ModifyGroupAccess))
+                .Succeeded)
+            {
+                readonlyCollectionIds.Add(collection.Id);
+            }
+        }
+
+        if (model.Collections.Any(c => readonlyCollectionIds.Contains(c.Id)))
+        {
+            throw new BadRequestException("You must have Can Manage permissions to edit a collection's membership");
+        }
+
+        var editedCollectionAccess = model.Collections
+            .Select(c => c.ToSelectionReadOnly());
+        var readonlyCollectionAccess = currentAccess
+            .Where(ca => readonlyCollectionIds.Contains(ca.Id));
+        var collectionsToSave = editedCollectionAccess
+            .Concat(readonlyCollectionAccess)
+            .ToList();
+
         var organization = await _organizationRepository.GetByIdAsync(orgId);
 
-        await _updateGroupCommand.UpdateGroupAsync(model.ToGroup(group), organization, model.Collections?.Select(c => c.ToSelectionReadOnly()).ToList(), model.Users);
+        await _updateGroupCommand.UpdateGroupAsync(model.ToGroup(group), organization, collectionsToSave, model.Users);
         return new GroupResponseModel(group);
     }
 

@@ -85,7 +85,8 @@ public class CollectionAuthorizationHandler : AuthorizationHandler<CollectionOpe
         { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
         { Permissions.EditAnyCollection: true } or
         { Permissions.DeleteAnyCollection: true } or
-        { Permissions.ManageUsers: true })
+        { Permissions.ManageUsers: true } or
+        { Permissions.ManageGroups: true })
         {
             context.Succeed(requirement);
             return;