-
Notifications
You must be signed in to change notification settings - Fork 1.7k
[PM-39998] Omit org owner and admin Sends from policy enforcement #7982
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,6 +5,7 @@ | |
| using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces; | ||
| using Bit.Core.AdminConsole.Repositories; | ||
| using Bit.Core.Exceptions; | ||
| using Bit.Core.Repositories; | ||
| using Bit.Core.Services; | ||
| using Bit.Core.Tools.Entities; | ||
| using Bit.Core.Tools.Enums; | ||
|
|
@@ -21,7 +22,8 @@ public class SendControlsSyncPolicyEvent( | |
| IPolicyRepository policyRepository, | ||
| TimeProvider timeProvider, | ||
| ISendRepository sendRepository, | ||
| IFeatureService featureService) : IOnPolicyPostUpdateEvent, IPolicyValidationEvent | ||
| IFeatureService featureService, | ||
| IOrganizationUserRepository orgUserRepository) : IOnPolicyPostUpdateEvent, IPolicyValidationEvent | ||
| { | ||
| public PolicyType Type => PolicyType.SendControls; | ||
|
|
||
|
|
@@ -88,6 +90,9 @@ public Task<string> ValidateAsync(SavePolicyModel policyRequest, Policy? current | |
| private async Task UpdateSendsByPolicyAsync(Policy postUpsertedPolicyState, SendControlsPolicyData sendControlsPolicyData) | ||
| { | ||
| var orgSendIds = await sendRepository.GetIdsByOrganizationIdAsync(postUpsertedPolicyState.OrganizationId); | ||
| // We fetch all of the owners and admins in the org so we can ignore their Sends when enforcing policy compliance | ||
| // This could be a heavy call in theory but in practice owners and admins should be a minority of org users | ||
| var orgOwnerAndAdminUserIds = (await orgUserRepository.GetManyByMinimumRoleAsync(postUpsertedPolicyState.OrganizationId, Core.Enums.OrganizationUserType.Admin)).Select(oud => oud.GetUserId()); | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. π At some point it would be good to collapse the verification of whether a Send is compliant, to the PolicyRequirement itself, which owns the concept of "given a policy and some domain data (the user trying to Send, the Send itself), is this valid?". This way if we change how the policy works, it'll "just work" for this side effect |
||
| foreach (var sendIdsChunk in orgSendIds.Chunk(50)) | ||
| { | ||
| var enabled = new List<Guid>(); | ||
|
|
@@ -97,7 +102,8 @@ private async Task UpdateSendsByPolicyAsync(Policy postUpsertedPolicyState, Send | |
| { | ||
| if ( | ||
| // If the policy is disabled then we want to re-enable any Sends that were previously disabled | ||
| postUpsertedPolicyState.Enabled && SendIsNonCompliant(send, sendControlsPolicyData)) | ||
| // If the Send was created by an Owner or an Admin in the organization we ignore it | ||
| postUpsertedPolicyState.Enabled && !orgOwnerAndAdminUserIds.Contains(send.UserId) && SendIsNonCompliant(send, sendControlsPolicyData)) | ||
| { | ||
| disabled.Add(send.Id); | ||
| } | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.