Skip to content

[PM-18747] Add more protections to endpoints on backend so regular members can't hit endpoints and see data#7985

Open
JaredScar wants to merge 3 commits into
mainfrom
ac/pm-18747-further-restrict-user-access-to-member-and-group-details
Open

[PM-18747] Add more protections to endpoints on backend so regular members can't hit endpoints and see data#7985
JaredScar wants to merge 3 commits into
mainfrom
ac/pm-18747-further-restrict-user-access-to-member-and-group-details

Conversation

@JaredScar

Copy link
Copy Markdown
Contributor

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-18747

📔 Objective

Adds more permissions checks to backend so members can just hit the endpoint and see details not meant for them. Not too much of a security threat because this is not sensitive, but still something we figured we should tighten up

…n management

- Replaced GroupAuthorizationHandler with OrganizationCollectionManagementAccessHandler to streamline collection management access control.
- Introduced CollectionPermissions class for reusable permission checks related to collection creation.
- Updated BulkCollectionAuthorizationHandler to utilize the new permission checks.
- Modified GroupsController and OrganizationUsersController to use the new authorization requirement.
- Added integration tests for new authorization logic and permissions.
- Removed obsolete GroupAuthorizationHandler and related operations.

This refactor enhances the clarity and maintainability of the authorization logic for collection management within organizations.
@JaredScar JaredScar requested a review from a team as a code owner July 14, 2026 19:59
@JaredScar JaredScar added the ai-review Request a Claude code review label Jul 14, 2026
@JaredScar JaredScar requested a review from BTreston July 14, 2026 19:59
@JaredScar JaredScar added the t:bugfix Change Type - Bugfix label Jul 14, 2026
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR tightens authorization on the GET /organizations/{orgId}/groups endpoint, replacing the broad MemberOrProviderRequirement with a new OrganizationCollectionManagementAccessRequirement that grants access only to users with a legitimate need (collection creators, collection managers, custom users with ManageUsers/ManageGroups/AccessReports, or providers). It extracts the reusable pure CollectionPermissions.CanCreate check, removes the now-unused GroupAuthorizationHandler, GroupOperations, and OrganizationUserUserMiniDetailsOperations classes, and wires the new handler through TryAddEnumerable DI. The change is well-tested with unit tests for the permission function, branch-complete handler tests, and integration tests.

Code Review Details

No findings. The implementation follows existing authorization patterns (mirrors OrganizationRequirementHandler), extension methods and repository signatures verified correct, deleted classes have no remaining references, and the earlier resolved review thread's concern (preserving access for ManageUsers/ManageGroups custom users) is handled explicitly in the final code. The mini-details endpoint intentionally remains on MemberOrProviderRequirement, consistent with its updated documentation.

JaredScar and others added 2 commits July 15, 2026 12:06
- Updated the OrganizationCollectionManagementAccessRequirement to include custom permissions (ManageUsers, ManageGroups, AccessReports) for accessing basic organization member information.
- Modified the OrganizationUsersController to allow all organization members to retrieve basic member details, reflecting the broader need for member lookups across various app features.
- Added integration tests to validate the new authorization logic for custom users with specific permissions.
- Removed obsolete tests related to collection access that are no longer applicable.

These changes improve the flexibility and clarity of access control for organization members while ensuring necessary permissions are respected.
@BTreston BTreston requested review from a team and JimmyVo16 July 16, 2026 14:17

@BTreston BTreston left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM aside from the comment verbosity. I'd recommend shortening up the comments. Adding a backend dev for review, as they'll probably have better opinions/feedback

@JimmyVo16 JimmyVo16 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one confirmation question, but it's pretty much approved.

/// of the organization, since a broad range of features across the app depend on basic member lookups
/// (collection management, group management, event logs, sponsorship, etc.) that are not specific to any one
/// permission. For this reason, it contains as little information as possible and no cryptographic keys or
/// other sensitive data.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just want to confirm that this is the intended behavior. Are we keeping the permission check the same and only changing the comments?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ai-review Request a Claude code review t:bugfix Change Type - Bugfix

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants