bitwarden · vincentsalucci · Jul 12, 2024 · Jun 10, 2024 · Jun 10, 2024 · Jun 12, 2024
@@ -544,9 +544,9 @@ private static string GetEnumDisplayName(Enum value)
         await _providerOrganizationRepository.CreateAsync(providerOrganization);
         await _eventService.LogProviderOrganizationEventAsync(providerOrganization, EventType.ProviderOrganization_Created);
 
-        // If using Flexible Collections, give the owner Can Manage access over the default collection
+        // Give the owner Can Manage access over the default collection
         // The orgUser is not available when the org is created so we have to do it here as part of the invite
-        var defaultOwnerAccess = organization.FlexibleCollections && defaultCollection != null
+        var defaultOwnerAccess = defaultCollection != null
             ?
             [
                 new CollectionAccessSelection
@@ -566,10 +566,6 @@ private static string GetEnumDisplayName(Enum value)
                     new OrganizationUserInvite
                     {
                         Emails = new[] { clientOwnerEmail },
-
-                        // If using Flexible Collections, AccessAll is deprecated and set to false.
-                        // If not using Flexible Collections, set AccessAll to true (previous behavior)
-                        AccessAll = !organization.FlexibleCollections,
                         Type = OrganizationUserType.Owner,
                         Permissions = null,
                         Collections = defaultOwnerAccess,

@@ -20,7 +20,6 @@ public OrganizationUserInvite ToOrganizationUserInvite(ScimProviderType scimProv
 
             // Permissions cannot be set via SCIM so we use default values
             Type = OrganizationUserType.User,
-            AccessAll = false,
             Collections = new List<CollectionAccessSelection>(),
             Groups = new List<Guid>()
         };

@@ -637,8 +637,7 @@ await sutProvider.GetDependency<IOrganizationService>()
                 t.First().Item1.Emails.Count() == 1 &&
                 t.First().Item1.Emails.First() == clientOwnerEmail &&
                 t.First().Item1.Type == OrganizationUserType.Owner &&
-                t.First().Item1.AccessAll &&
-                !t.First().Item1.Collections.Any() &&
+                t.First().Item1.Collections.Count() == 1 &&
                 t.First().Item2 == null));
     }
 
@@ -717,13 +716,12 @@ await sutProvider.GetDependency<IOrganizationService>()
                         t.First().Item1.Emails.Count() == 1 &&
                         t.First().Item1.Emails.First() == clientOwnerEmail &&
                         t.First().Item1.Type == OrganizationUserType.Owner &&
-                        t.First().Item1.AccessAll &&
-                        !t.First().Item1.Collections.Any() &&
+                        t.First().Item1.Collections.Count() == 1 &&
                         t.First().Item2 == null));
     }
 
-    [Theory, OrganizationCustomize(FlexibleCollections = true), BitAutoData]
-    public async Task CreateOrganizationAsync_WithFlexibleCollections_SetsAccessAllToFalse
+    [Theory, OrganizationCustomize, BitAutoData]
+    public async Task CreateOrganizationAsync_SetsAccessAllToFalse
         (Provider provider, OrganizationSignup organizationSignup, Organization organization, string clientOwnerEmail,
             User user, SutProvider<ProviderService> sutProvider, Collection defaultCollection)
     {
@@ -747,7 +745,6 @@ await sutProvider.GetDependency<IOrganizationService>()
                 t.First().Item1.Emails.Count() == 1 &&
                 t.First().Item1.Emails.First() == clientOwnerEmail &&
                 t.First().Item1.Type == OrganizationUserType.Owner &&
-                t.First().Item1.AccessAll == false &&
                 t.First().Item1.Collections.Single().Id == defaultCollection.Id &&
                 !t.First().Item1.Collections.Single().HidePasswords &&
                 !t.First().Item1.Collections.Single().ReadOnly &&

diff --git a/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs b/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs
@@ -43,7 +43,6 @@ public async Task PostUser_Success(SutProvider<PostUserCommand> sutProvider, str
                 Arg.Is<OrganizationUserInvite>(i =>
                     i.Emails.Single().Equals(scimUserRequestModel.PrimaryEmail.ToLowerInvariant()) &&
                     i.Type == OrganizationUserType.User &&
-                    !i.AccessAll &&
                     !i.Collections.Any() &&
                     !i.Groups.Any() &&
                     i.AccessSecretsManager), externalId)
@@ -56,7 +55,6 @@ public async Task PostUser_Success(SutProvider<PostUserCommand> sutProvider, str
             Arg.Is<OrganizationUserInvite>(i =>
                 i.Emails.Single().Equals(scimUserRequestModel.PrimaryEmail.ToLowerInvariant()) &&
                 i.Type == OrganizationUserType.User &&
-                !i.AccessAll &&
                 !i.Collections.Any() &&
                 !i.Groups.Any() &&
                 i.AccessSecretsManager), externalId);

@@ -19,7 +19,11 @@ public class OrganizationUser : ITableObject<Guid>, IExternal
     public string? ResetPasswordKey { get; set; }
     public OrganizationUserStatusType Status { get; set; }
     public OrganizationUserType Type { get; set; }
-    public bool AccessAll { get; set; }
+
+    /// <summary>
+    /// AccessAll is deprecated and should always be left as false. Scheduled for removal.
+    /// </summary>
+    public bool AccessAll { get; set; } = false;
     [MaxLength(300)]
     public string? ExternalId { get; set; }
     public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;

@@ -7,7 +7,6 @@ public class OrganizationUserInvite
 {
     public IEnumerable<string> Emails { get; set; }
     public Enums.OrganizationUserType? Type { get; set; }
-    public bool AccessAll { get; set; }
     public bool AccessSecretsManager { get; set; }
     public Permissions Permissions { get; set; }
     public IEnumerable<CollectionAccessSelection> Collections { get; set; }
@@ -19,7 +18,6 @@ public OrganizationUserInvite(OrganizationUserInviteData requestModel)
     {
         Emails = requestModel.Emails;
         Type = requestModel.Type;
-        AccessAll = requestModel.AccessAll;
         AccessSecretsManager = requestModel.AccessSecretsManager;
         Collections = requestModel.Collections;
         Groups = requestModel.Groups;

@@ -6,7 +6,6 @@ public class OrganizationUserInviteData
 {
     public IEnumerable<string> Emails { get; set; }
     public OrganizationUserType? Type { get; set; }
-    public bool AccessAll { get; set; }
     public bool AccessSecretsManager { get; set; }
     public IEnumerable<CollectionAccessSelection> Collections { get; set; }
     public IEnumerable<Guid> Groups { get; set; }

@@ -115,18 +115,15 @@
             throw new BadRequestException("This organization cannot use groups.");
         }
 
-        if (organization.FlexibleCollections)
+        if (group.AccessAll)
         {
-            if (group.AccessAll)
-            {
-                throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
-            }
-
-            var invalidAssociations = collections?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
-            if (invalidAssociations?.Any() ?? false)
-            {
-                throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
-            }
+            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
+        }
+
+        var invalidAssociations = collections?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
+        if (invalidAssociations?.Any() ?? false)
+        {
+            throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
         }
     }
 }
@@ -109,18 +109,15 @@
             throw new BadRequestException("This organization cannot use groups.");
         }
 
-        if (organization.FlexibleCollections)
+        if (group.AccessAll)
         {
-            if (group.AccessAll)
-            {
-                throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
-            }
-
-            var invalidAssociations = collections?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
-            if (invalidAssociations?.Any() ?? false)
-            {
-                throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
-            }
+            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
+        }
+
+        var invalidAssociations = collections?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
+        if (invalidAssociations?.Any() ?? false)
+        {
+            throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
         }
     }
 }
@@ -6,5 +6,5 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interface
 
 public interface IUpdateOrganizationUserCommand
 {
-    Task UpdateUserAsync(OrganizationUser user, Guid? savingUserId, IEnumerable<CollectionAccessSelection> collections, IEnumerable<Guid>? groups);
+    Task UpdateUserAsync(OrganizationUser user, Guid? savingUserId, List<CollectionAccessSelection> collections, IEnumerable<Guid>? groups);
 }
@@ -37,7 +37,7 @@
     }
 
     public async Task UpdateUserAsync(OrganizationUser user, Guid? savingUserId,
-        IEnumerable<CollectionAccessSelection> collections, IEnumerable<Guid>? groups)
+        List<CollectionAccessSelection>? collections, IEnumerable<Guid>? groups)
     {
         if (user.Id.Equals(default(Guid)))
         {
@@ -59,22 +59,19 @@
             throw new BadRequestException("Organization must have at least one confirmed owner.");
         }
 
-        // If the organization is using Flexible Collections, prevent use of any deprecated permissions
-        var organization = await _organizationRepository.GetByIdAsync(user.OrganizationId);
-        if (organization.FlexibleCollections && user.AccessAll)
+        if (user.AccessAll)
         {
             throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the user to collections instead.");
         }
 
-        if (organization.FlexibleCollections && collections?.Any() == true)
+        if (collections?.Count > 0)
         {
             var invalidAssociations = collections.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
             if (invalidAssociations.Any())
             {
                 throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
             }
         }
-        // End Flexible Collections
 
         // Only autoscale (if required) after all validation has passed so that we know it's a valid request before
         // updating Stripe
@@ -83,17 +80,13 @@
             var additionalSmSeatsRequired = await _countNewSmSeatsRequiredQuery.CountNewSmSeatsRequiredAsync(user.OrganizationId, 1);
             if (additionalSmSeatsRequired > 0)
             {
+                var organization = await _organizationRepository.GetByIdAsync(user.OrganizationId);
                 var update = new SecretsManagerSubscriptionUpdate(organization, true)
                     .AdjustSeats(additionalSmSeatsRequired);
                 await _updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(update);
             }
         }
 
-        if (user.AccessAll)
-        {
-            // We don't need any collections if we're flagged to have all access.
-            collections = new List<CollectionAccessSelection>();
-        }
         await _organizationUserRepository.ReplaceAsync(user, collections);
 
         if (groups != null)