bitwarden · eliykat · Apr 29, 2024 · Apr 29, 2024
diff --git a/src/Api/Controllers/CollectionsController.cs b/src/Api/Controllers/CollectionsController.cs
@@ -553,8 +553,11 @@
     {
         // New flexible collections logic
         var (collection, access) = await _collectionRepository.GetByIdWithAccessAsync(id);
-        var authorized = (await _authorizationService.AuthorizeAsync(User, collection, BulkCollectionOperations.ReadWithAccess)).Succeeded;
-        if (!authorized)
+        var authorizationResult = await _authorizationService.AuthorizeAsync(
+            User,
+            collection,
+            new[] { BulkCollectionOperations.Read, BulkCollectionOperations.ReadAccess });
+        if (!authorizationResult.Succeeded)
         {
             throw new NotFoundException();
         }

@@ -75,10 +75,6 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
                 await CanReadAsync(context, requirement, resources, org);
                 break;
 
-            case not null when requirement == BulkCollectionOperations.ReadWithAccess:
-                await CanReadWithAccessAsync(context, requirement, resources, org);
-                break;
-
             case not null when requirement == BulkCollectionOperations.Update:
             case not null when requirement == BulkCollectionOperations.ModifyAccess:
             case not null when requirement == BulkCollectionOperations.ImportCiphers:
@@ -124,38 +120,6 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
         if (org is
         { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
         { Permissions.EditAnyCollection: true } or
-        { Permissions.DeleteAnyCollection: true })
-        {
-            context.Succeed(requirement);
-            return;
-        }
-
-        // The acting user is a member of the target organization,
-        // ensure they have access for the collection being read
-        if (org is not null)
-        {
-            var canManageCollections = await CanManageCollectionsAsync(resources);
-            if (canManageCollections)
-            {
-                context.Succeed(requirement);
-                return;
-            }
-        }
-
-        // Allow provider users to read collections if they are a provider for the target organization
-        if (await _currentContext.ProviderUserForOrgAsync(_targetOrganizationId))
-        {
-            context.Succeed(requirement);
-        }
-    }
-
-    private async Task CanReadWithAccessAsync(AuthorizationHandlerContext context, IAuthorizationRequirement requirement,
-        ICollection<Collection> resources, CurrentContextOrganization? org)
-    {
-        // Owners, Admins, and users with EditAnyCollection, DeleteAnyCollection or ManageUsers permission can always read a collection
-        if (org is
-        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
-        { Permissions.EditAnyCollection: true } or
         { Permissions.DeleteAnyCollection: true } or
         { Permissions.ManageUsers: true })
         {
@@ -164,7 +128,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
         }
 
         // The acting user is a member of the target organization,
-        // ensure they have access with manage permission for the collection being read
+        // ensure they have access for the collection being read
         if (org is not null)
         {
             var canManageCollections = await CanManageCollectionsAsync(resources);

@@ -7,14 +7,17 @@ public class BulkCollectionOperationRequirement : OperationAuthorizationRequirem
 public static class BulkCollectionOperations
 {
     public static readonly BulkCollectionOperationRequirement Create = new() { Name = nameof(Create) };
+    /// <summary>
+    /// Represents reading the Collection object. Does not include reading user and group access - see ReadAccess.
+    /// </summary>
     public static readonly BulkCollectionOperationRequirement Read = new() { Name = nameof(Read) };
+    /// <summary>
+    /// Represents reading the user and group access to a collection.
+    /// </summary>
     public static readonly BulkCollectionOperationRequirement ReadAccess = new() { Name = nameof(ReadAccess) };
-    public static readonly BulkCollectionOperationRequirement ReadWithAccess = new() { Name = nameof(ReadWithAccess) };
     public static readonly BulkCollectionOperationRequirement Update = new() { Name = nameof(Update) };
     /// <summary>
-    /// The operation that represents creating, updating, or removing collection access.
-    /// Combined together to allow for a single requirement to be used for each operation
-    /// as they all currently share the same underlying authorization logic.
+    /// Represents creating, updating, or removing collection access.
     /// </summary>
     public static readonly BulkCollectionOperationRequirement ModifyAccess = new() { Name = nameof(ModifyAccess) };
     public static readonly BulkCollectionOperationRequirement Delete = new() { Name = nameof(Delete) };

diff --git a/test/Api.Test/Controllers/CollectionsControllerTests.cs b/test/Api.Test/Controllers/CollectionsControllerTests.cs
@@ -142,7 +142,8 @@ await sutProvider.GetDependency<ICollectionService>()
                 Arg.Any<object>(),
                 Arg.Is<IEnumerable<IAuthorizationRequirement>>(requirements =>
                     requirements.Cast<BulkCollectionOperationRequirement>().All(operation =>
-                        operation.Name == nameof(BulkCollectionOperations.ReadWithAccess))))
+                        operation.Name == nameof(BulkCollectionOperations.Read) ||
+                            operation.Name == nameof(BulkCollectionOperations.ReadAccess))))
             .Returns(AuthorizationResult.Success());
 
         await sutProvider.Sut.GetManyWithDetails(organizationAbility.Id);

@@ -362,178 +362,6 @@ public class BulkCollectionAuthorizationHandlerTests
         }
     }
 
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.Admin)]
-    [BitAutoData(OrganizationUserType.Owner)]
-    public async Task CanReadWithAccessAsync_WhenAdminOrOwner_Success(
-        OrganizationUserType userType,
-        Guid userId, SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        CurrentContextOrganization organization)
-    {
-        organization.Type = userType;
-        organization.Permissions = new Permissions();
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.ReadWithAccess },
-            new ClaimsPrincipal(),
-            collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(true, false, false)]
-    [BitAutoData(false, true, false)]
-    [BitAutoData(false, false, true)]
-
-    public async Task CanReadWithAccessAsync_WhenCustomUserWithRequiredPermissions_Success(
-        bool editAnyCollection, bool deleteAnyCollection, bool manageUsers,
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = OrganizationUserType.Custom;
-        organization.Permissions = new Permissions
-        {
-            EditAnyCollection = editAnyCollection,
-            DeleteAnyCollection = deleteAnyCollection,
-            ManageUsers = manageUsers
-        };
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.ReadWithAccess },
-            new ClaimsPrincipal(),
-            collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanReadWithAccessAsync_WhenUserCanManageCollections_Success(
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<CollectionDetails> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        foreach (var c in collections)
-        {
-            c.Manage = true;
-        }
-
-        organization.Type = OrganizationUserType.User;
-        organization.Permissions = new Permissions();
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId, Arg.Any<bool>()).Returns(collections);
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.ReadWithAccess },
-            new ClaimsPrincipal(),
-            collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanReadWithAccessAsync_WhenUserCanNotManageCollections_Success(
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<CollectionDetails> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        foreach (var c in collections)
-        {
-            c.Manage = false;
-        }
-
-        organization.Type = OrganizationUserType.User;
-        organization.Permissions = new Permissions();
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId, Arg.Any<bool>()).Returns(collections);
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.ReadWithAccess },
-            new ClaimsPrincipal(),
-            collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.User)]
-    [BitAutoData(OrganizationUserType.Custom)]
-    public async Task CanReadWithAccessAsync_WhenMissingPermissions_NoSuccess(
-        OrganizationUserType userType,
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = userType;
-        organization.Permissions = new Permissions
-        {
-            EditAnyCollection = false,
-            DeleteAnyCollection = false,
-            ManageGroups = false,
-            ManageUsers = false
-        };
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.ReadWithAccess },
-            new ClaimsPrincipal(),
-            collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanReadWithAccessAsync_WhenMissingOrgAccess_NoSuccess(
-        Guid userId,
-        ICollection<Collection> collections,
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider)
-    {
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.ReadWithAccess },
-            new ClaimsPrincipal(),
-            collections
-        );
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.False(context.HasSucceeded);
-    }
-
     [Theory, CollectionCustomization]
     [BitAutoData(OrganizationUserType.Admin)]
     [BitAutoData(OrganizationUserType.Owner)]