[EC-160] Give Provider Users access to all org ciphers and collections (#1959)

eliykat · Hinton · commit 71f2cfca4a50 · 2022-04-20T10:00:05.000+02:00
(cherry picked from commit ec9dd8e)
diff --git a/src/Api/Controllers/CiphersController.cs b/src/Api/Controllers/CiphersController.cs
@@ -224,8 +224,19 @@ public async Task<ListResponseModel<CipherMiniDetailsResponseModel>> GetOrganiza
                 throw new NotFoundException();
             }
 
-            var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, true);
-            var orgCiphers = ciphers.Where(c => c.OrganizationId == orgIdGuid);
+            IEnumerable<Cipher> orgCiphers;
+            if (await _currentContext.OrganizationOwner(orgIdGuid))
+            {
+                // User may be a Provider for the organization, in which case GetManyByUserIdAsync won't return any results
+                // But they have access to all organization ciphers, so we can safely get by orgId instead
+                orgCiphers = await _cipherRepository.GetManyByOrganizationIdAsync(orgIdGuid);
+            }
+            else
+            {
+                var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, true);
+                orgCiphers = ciphers.Where(c => c.OrganizationId == orgIdGuid);
+            }
+
             var orgCipherIds = orgCiphers.Select(c => c.Id);
 
             var collectionCiphers = await _collectionCipherRepository.GetManyByOrganizationIdAsync(orgIdGuid);
diff --git a/src/Api/Controllers/CollectionsController.cs b/src/Api/Controllers/CollectionsController.cs
@@ -87,8 +87,19 @@ public async Task<ListResponseModel<CollectionResponseModel>> Get(string orgId)
                 throw new NotFoundException();
             }
 
-            var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
-            var orgCollections = collections.Where(c => c.OrganizationId == orgIdGuid);
+            IEnumerable<Collection> orgCollections;
+            if (await _currentContext.OrganizationOwner(orgIdGuid))
+            {
+                // User may be a Provider for the organization, in which case GetManyByUserIdAsync won't return any results
+                // But they have access to all organization collections, so we can safely get by orgId instead
+                orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgIdGuid);
+            }
+            else
+            {
+                var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
+                orgCollections = collections.Where(c => c.OrganizationId == orgIdGuid);
+            }
+
             var responses = orgCollections.Select(c => new CollectionResponseModel(c));
             return new ListResponseModel<CollectionResponseModel>(responses);
         }
