Merge pull request #1099 from ONLYOFFICE/bugfix/room-admin-permissions

Bugfix/room admin permissions

common/ASC.Common/Security/Authorizing/Domain/Role.cs

@@ -40,6 +40,7 @@ public sealed class Role : IRole
     public string AuthenticationType => "ASC";
     public bool IsAuthenticated => false;
 
+    public string Key => ID.ToString();
 
     public Role(Guid id, string name)
     {

common/ASC.Common/Security/Authorizing/Interfaces/IRole.cs

@@ -26,4 +26,4 @@
 
 namespace ASC.Common.Security.Authorizing;
 
-public interface IRole : ISubject { }
+public interface IRole : ISubject, IRuleData { }

common/ASC.Common/Security/RuleData.cs

@@ -0,0 +1,32 @@
+// (c) Copyright Ascensio System SIA 2010-2022
+//
+// This program is a free software product.
+// You can redistribute it and/or modify it under the terms
+// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
+// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
+// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
+// any third-party rights.
+//
+// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
+// of MERCHANTABILITY or FITNESS FOR A PARTICULAR  PURPOSE. For details, see
+// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
+//
+// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
+//
+// The  interactive user interfaces in modified source and object code versions of the Program must
+// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
+//
+// Pursuant to Section 7(b) of the License you must retain the original Product logo when
+// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
+// trademark law for use of our trademarks.
+//
+// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
+// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
+// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+namespace ASC.Common.Security;
+
+public interface IRuleData
+{
+    public string Key { get; }
+}

common/ASC.Core.Common/Caching/CachedUserService.cs

@@ -74,6 +74,12 @@ public class UserServiceCache
         {
             var key = GetUserCacheKey(userInfo.Tenant);
             Cache.Remove(key);
+
+            if (Guid.TryParse(userInfo.Id, out var userId))
+            {
+                var userKey = GetUserCacheKey(userInfo.Tenant, userId);
+                Cache.Remove(userKey);
+            }
         }
     }
     private void InvalidateCache(GroupCacheItem groupCacheItem)

common/ASC.Core.Common/Context/Impl/UserManager.cs

@@ -64,6 +64,7 @@ public class UserManager
     private readonly TenantQuotaFeatureCheckerCount<CountRoomAdminFeature> _countRoomAdminChecker;
     private readonly TenantQuotaFeatureCheckerCount<CountUserFeature> _activeUsersFeatureChecker;
     private readonly Constants _constants;
+    private readonly UserFormatter _userFormatter;
 
     private Tenant _tenant;
     private Tenant Tenant => _tenant ??= _tenantManager.GetCurrentTenant();
@@ -86,7 +87,8 @@ public class UserManager
         ILogger<UserManager> log,
         ICache cache,
         TenantQuotaFeatureCheckerCount<CountRoomAdminFeature> countRoomAdrminChecker,
-        TenantQuotaFeatureCheckerCount<CountUserFeature> activeUsersFeatureChecker
+        TenantQuotaFeatureCheckerCount<CountUserFeature> activeUsersFeatureChecker,
+        UserFormatter userFormatter
         )
     {
         _userService = service;
@@ -103,6 +105,7 @@ public class UserManager
         _countRoomAdminChecker = countRoomAdrminChecker;
         _activeUsersFeatureChecker = activeUsersFeatureChecker;
         _constants = _userManagerConstants.Constants;
+        _userFormatter = userFormatter;
     }
 
     public UserManager(
@@ -119,8 +122,9 @@ public class UserManager
         ICache cache,
         TenantQuotaFeatureCheckerCount<CountRoomAdminFeature> tenantQuotaFeatureChecker,
         TenantQuotaFeatureCheckerCount<CountUserFeature> activeUsersFeatureChecker,
-        IHttpContextAccessor httpContextAccessor)
+        IHttpContextAccessor httpContextAccessor,
-        : this(service, tenantManager, permissionContext, userManagerConstants, coreBaseSettings, coreSettings, instanceCrypto, radicaleClient, cardDavAddressbook, log, cache, tenantQuotaFeatureChecker, activeUsersFeatureChecker)
+        UserFormatter userFormatter)
+        : this(service, tenantManager, permissionContext, userManagerConstants, coreBaseSettings, coreSettings, instanceCrypto, radicaleClient, cardDavAddressbook, log, cache, tenantQuotaFeatureChecker, activeUsersFeatureChecker, userFormatter)
     {
         _accessor = httpContextAccessor;
     }
@@ -353,7 +357,8 @@ public class UserManager
             return SystemUsers[u.Id];
         }
 
-        _permissionContext.DemandPermissions(Constants.Action_AddRemoveUser);
+        _permissionContext.DemandPermissions(new UserSecurityProvider(u.Id, isVisitor ? EmployeeType.User : EmployeeType.RoomAdmin), 
+            Constants.Action_AddRemoveUser);
 
         if (!_coreBaseSettings.Personal)
         {
@@ -631,12 +636,15 @@ public class UserManager
         {
             return;
         }
-        _permissionContext.DemandPermissions(Constants.Action_EditGroups);
+
+        var user = GetUsers(userId);
+
+        _permissionContext.DemandPermissions(new UserGroupObject(new UserAccount(user, _tenantManager.GetCurrentTenant().Id, _userFormatter), groupId),
+            Constants.Action_EditGroups);
 
         _userService.SaveUserGroupRef(Tenant.Id, new UserGroupRef(userId, groupId, UserGroupRefType.Contains));
 
         ResetGroupCache(userId);
-        var user = GetUsers(userId);
         if (groupId == Constants.GroupUser.ID)
         {
             var tenant = _tenantManager.GetCurrentTenant();
@@ -658,7 +666,10 @@ public class UserManager
             return;
         }
 
-        _permissionContext.DemandPermissions(Constants.Action_EditGroups);
+        var user = GetUsers(userId);
+
+        _permissionContext.DemandPermissions(new UserGroupObject(new UserAccount(user, _tenantManager.GetCurrentTenant().Id, _userFormatter), groupId),
+            Constants.Action_EditGroups);
 
         _userService.RemoveUserGroupRef(Tenant.Id, userId, groupId, UserGroupRefType.Contains);
 

common/ASC.Core.Common/Core/GroupInfo.cs

@@ -71,4 +71,5 @@ public class GroupInfo : IRole, IRecipientsGroup
     string IRecipient.Name => Name;
     public string AuthenticationType => "ASC";
     public bool IsAuthenticated => false;
+    public string Key => ID.ToString();
 }

common/ASC.Core.Common/Security/Authorizing/AzManager.cs

@@ -57,7 +57,8 @@ public class AzManager
 
     internal AzManagerAcl GetAzManagerAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider)
     {
-        if (action.AdministratorAlwaysAllow && (Constants.DocSpaceAdmin.ID == subject.ID || _roleProvider.IsSubjectInRole(subject, Constants.DocSpaceAdmin)))
+        if (action.AdministratorAlwaysAllow && (Constants.DocSpaceAdmin.ID == subject.ID || _roleProvider.IsSubjectInRole(subject, Constants.DocSpaceAdmin) 
+            || (objectId is SecurityObject obj && obj.IsMatchDefaultRules(subject, action, _roleProvider))))
         {
             return AzManagerAcl.Allow;
         }

common/ASC.Core.Common/Security/Rule.cs

@@ -0,0 +1,57 @@
+// (c) Copyright Ascensio System SIA 2010-2022
+//
+// This program is a free software product.
+// You can redistribute it and/or modify it under the terms
+// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
+// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
+// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
+// any third-party rights.
+//
+// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
+// of MERCHANTABILITY or FITNESS FOR A PARTICULAR  PURPOSE. For details, see
+// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
+//
+// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
+//
+// The  interactive user interfaces in modified source and object code versions of the Program must
+// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
+//
+// Pursuant to Section 7(b) of the License you must retain the original Product logo when
+// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
+// trademark law for use of our trademarks.
+//
+// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
+// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
+// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+namespace ASC.Core.Common.Security;
+
+public class Rule
+{
+    public Guid ActionId { get; }
+    public IRuleData Data { get; }
+    private readonly string _key;
+
+    public Rule(Guid actionId, IRuleData data)
+    {
+        ActionId = actionId;
+        Data = data;
+        _key = actionId.ToString() + data?.Key;
+    }
+
+    public Rule(Guid actionId)
+    {
+        ActionId = actionId;
+        _key = actionId.ToString();
+    }
+
+    public override int GetHashCode()
+    {
+        return _key.GetHashCode();
+    }
+
+    public override bool Equals(object obj)
+    {
+        return obj is Rule action && action._key == _key;
+    }
+}

common/ASC.Core.Common/Security/Security.cs

@@ -0,0 +1,56 @@
+// (c) Copyright Ascensio System SIA 2010-2022
+//
+// This program is a free software product.
+// You can redistribute it and/or modify it under the terms
+// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
+// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
+// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
+// any third-party rights.
+//
+// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
+// of MERCHANTABILITY or FITNESS FOR A PARTICULAR  PURPOSE. For details, see
+// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
+//
+// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
+//
+// The  interactive user interfaces in modified source and object code versions of the Program must
+// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
+//
+// Pursuant to Section 7(b) of the License you must retain the original Product logo when
+// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
+// trademark law for use of our trademarks.
+//
+// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
+// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
+// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+using UserConstants = ASC.Core.Users.Constants;
+using Constants = ASC.Common.Security.Authorizing.Constants;
+
+namespace ASC.Core.Common.Security;
+
+public static class Security
+{
+    public static readonly Dictionary<Guid, Dictionary<Guid, HashSet<Rule>>> Rules = new Dictionary<Guid, Dictionary<Guid, HashSet<Rule>>>
+    {
+        {
+            Constants.RoomAdmin.ID, new Dictionary<Guid, HashSet<Rule>>()
+            {
+                {
+                    Constants.User.ID, new HashSet<Rule>()
+                    {
+                        new Rule(UserConstants.Action_EditGroups.ID, Constants.User),
+                        new Rule(UserConstants.Action_AddRemoveUser.ID),
+                    }
+                },
+                {
+                    Constants.RoomAdmin.ID, new HashSet<Rule>()
+                    {
+                        new Rule(UserConstants.Action_EditGroups.ID, Constants.User),
+                        new Rule(UserConstants.Action_AddRemoveUser.ID),
+                    }
+                }
+            }
+        }
+    };
+}

common/ASC.Core.Common/Security/SecurityObject.cs

@@ -0,0 +1,75 @@
+// (c) Copyright Ascensio System SIA 2010-2022
+//
+// This program is a free software product.
+// You can redistribute it and/or modify it under the terms
+// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
+// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
+// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
+// any third-party rights.
+//
+// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
+// of MERCHANTABILITY or FITNESS FOR A PARTICULAR  PURPOSE. For details, see
+// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
+//
+// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
+//
+// The  interactive user interfaces in modified source and object code versions of the Program must
+// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
+//
+// Pursuant to Section 7(b) of the License you must retain the original Product logo when
+// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
+// trademark law for use of our trademarks.
+//
+// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
+// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
+// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+namespace ASC.Core.Common.Security;
+
+public abstract class SecurityObject : ISecurityObject
+{
+    public object SecurityId { get; protected set; }
+    public Type ObjectType { get; protected set; }
+    public string FullId { get; protected set; }
+    public bool InheritSupported { get; protected set; }
+    public bool ObjectRolesSupported { get; protected set; }
+
+    public virtual IEnumerable<IRole> GetObjectRoles(ISubject account, ISecurityObjectId objectId, SecurityCallContext callContext)
+    {
+        return null;
+    }
+
+    public virtual ISecurityObjectId InheritFrom(ISecurityObjectId objectId)
+    {
+        return null;
+    }
+
+    public bool IsMatchDefaultRules(ISubject subject, IAction action, IRoleProvider roleProvider)
+    {
+        var subjectRoles = roleProvider.GetRoles(subject);
+        var targetRoles = GetTargetRoles(roleProvider);
+
+        foreach (var subjectRole in subjectRoles)
+        {
+            if (Security.Rules.TryGetValue(subjectRole.ID, out var value))
+            {
+                foreach (var targetRole in targetRoles)
+                {
+                    if (value.TryGetValue(targetRole.ID, out var value1))
+                    {
+                        var act = new Rule(action.ID, GetRuleData());
+                        if (value1.Contains(act))
+                        {
+                            return true;
+                        }
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
+    protected abstract IEnumerable<IRole> GetTargetRoles(IRoleProvider roleProvider);
+    protected abstract IRuleData GetRuleData();
+}

common/ASC.Core.Common/Security/UserGroupObject.cs

@@ -0,0 +1,52 @@
+// (c) Copyright Ascensio System SIA 2010-2022
+//
+// This program is a free software product.
+// You can redistribute it and/or modify it under the terms
+// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
+// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
+// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
+// any third-party rights.
+//
+// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
+// of MERCHANTABILITY or FITNESS FOR A PARTICULAR  PURPOSE. For details, see
+// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
+//
+// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
+//
+// The  interactive user interfaces in modified source and object code versions of the Program must
+// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
+//
+// Pursuant to Section 7(b) of the License you must retain the original Product logo when
+// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
+// trademark law for use of our trademarks.
+//
+// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
+// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
+// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+namespace ASC.Core.Common.Security;
+
+public class UserGroupObject : SecurityObject
+{
+    private ISubject User { get; set; }
+    private Guid GroupId { get; set; }
+
+    public UserGroupObject(ISubject user, Guid groupId)
+    {
+        SecurityId = user.ID;
+        User = user;
+        GroupId = groupId;
+        ObjectType = typeof(UserGroupObject);
+        FullId = $"{ObjectType.FullName}|{User.ID}|{GroupId}";
+    }
+
+    protected override IEnumerable<IRole> GetTargetRoles(IRoleProvider roleProvider)
+    {
+        return roleProvider.GetRoles(User);
+    }
+
+    protected override IRuleData GetRuleData()
+    {
+        return new Role(GroupId, "ruleData");
+    }
+}

common/ASC.Core.Common/Security/UserSecurityProvider.cs

@@ -24,37 +24,51 @@
 // content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
 // International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
 
+using AuthConstants = ASC.Common.Security.Authorizing.Constants;
+
 namespace ASC.Core.Users;
 
-public class UserSecurityProvider : ISecurityObject
+public class UserSecurityProvider : SecurityObject
 {
-    public Type ObjectType { get; private set; }
+    private readonly EmployeeType _employeeType;
-    public object SecurityId { get; private set; }
-    public string FullId => AzObjectIdHelper.GetFullObjectId(this);
 
     public UserSecurityProvider(Guid userId)
     {
         SecurityId = userId;
         ObjectType = typeof(UserInfo);
+        FullId = AzObjectIdHelper.GetFullObjectId(this);
+        ObjectRolesSupported = true;
     }
 
-    public bool ObjectRolesSupported => true;
+    public UserSecurityProvider(Guid userId, EmployeeType employeeType) : this(userId)
+    {
+        _employeeType = employeeType;
+    }
 
-    public IEnumerable<IRole> GetObjectRoles(ISubject account, ISecurityObjectId objectId, SecurityCallContext callContext)
+    public override IEnumerable<IRole> GetObjectRoles(ISubject account, ISecurityObjectId objectId, SecurityCallContext callContext)
     {
         var roles = new List<IRole>();
         if (account.ID.Equals(objectId.SecurityId))
         {
-            roles.Add(ASC.Common.Security.Authorizing.Constants.Self);
+            roles.Add(AuthConstants.Self);
         }
 
         return roles;
     }
 
-    public bool InheritSupported => false;
+    protected override IEnumerable<IRole> GetTargetRoles(IRoleProvider roleProvider)
-
-    public ISecurityObjectId InheritFrom(ISecurityObjectId objectId)
     {
-        throw new NotImplementedException();
+        return _employeeType switch
+        {
+            EmployeeType.DocSpaceAdmin => new[] { AuthConstants.DocSpaceAdmin },
+            EmployeeType.RoomAdmin => new[] { AuthConstants.RoomAdmin },
+            EmployeeType.User => new[] { AuthConstants.User },
+            _ => throw new NotImplementedException(),
+        };
+    }
+
+    protected override IRuleData GetRuleData()
+    {
+        return null;
     }
 }

common/ASC.Core.Common/Users/UserExtensions.cs

@@ -96,6 +96,11 @@ public static class UserExtensions
         return !string.IsNullOrEmpty(ui.SsoNameId);
     }
 
+    public static EmployeeType GetUserType(this UserManager userManager, Guid id)
+    {
+        return userManager.IsDocSpaceAdmin(id) ? EmployeeType.DocSpaceAdmin : userManager.IsUser(id) ? EmployeeType.User : EmployeeType.RoomAdmin;
+    }
+
     private const string _extMobPhone = "extmobphone";
     private const string _mobPhone = "mobphone";
     private const string _extMail = "extmail";

products/ASC.People/Server/Api/PeopleControllerBase.cs

@@ -72,9 +72,12 @@ public abstract class PeopleControllerBase : ApiControllerBase
         return user;
     }
 
-    protected void UpdateContacts(IEnumerable<Contact> contacts, UserInfo user)
+    protected void UpdateContacts(IEnumerable<Contact> contacts, UserInfo user, bool checkPermissions = true)
     {
-        _permissionContext.DemandPermissions(new UserSecurityProvider(user.Id), Constants.Action_EditUser);
+        if (checkPermissions)
+        {
+            _permissionContext.DemandPermissions(new UserSecurityProvider(user.Id), Constants.Action_EditUser);
+        }
 
         if (contacts == null)
         {

products/ASC.People/Server/Api/UserController.cs

@@ -206,15 +206,14 @@ public class UserController : PeopleControllerBase
     {
         _apiContext.AuthByClaim();
 
-        _permissionContext.DemandPermissions(Constants.Action_AddRemoveUser);
-
         var options = inDto.FromInviteLink ? await _roomLinkService.GetOptionsAsync(inDto.Key, inDto.Email, inDto.Type) : null;
-
         if (options != null && !options.IsCorrect)
         {
             throw new SecurityException(FilesCommonResource.ErrorMessage_InvintationLink);
         }
 
+        _permissionContext.DemandPermissions(new UserSecurityProvider(Guid.Empty, inDto.Type) ,Constants.Action_AddRemoveUser);
+
         inDto.Type = options != null ? options.EmployeeType : inDto.Type;
 
         var user = new UserInfo();
@@ -264,9 +263,9 @@ public class UserController : PeopleControllerBase
         user.BirthDate = inDto.Birthday != null && inDto.Birthday != DateTime.MinValue ? _tenantUtil.DateTimeFromUtc(inDto.Birthday) : null;
         user.WorkFromDate = inDto.Worksfrom != null && inDto.Worksfrom != DateTime.MinValue ? _tenantUtil.DateTimeFromUtc(inDto.Worksfrom) : DateTime.UtcNow.Date;
 
-        UpdateContacts(inDto.Contacts, user);
+        UpdateContacts(inDto.Contacts, user, !inDto.FromInviteLink);
         _cache.Insert("REWRITE_URL" + _tenantManager.GetCurrentTenant().Id, HttpContext.Request.GetUrlRewriter().ToString(), TimeSpan.FromMinutes(5));
-        user = await _userManagerWrapper.AddUser(user, inDto.PasswordHash, inDto.FromInviteLink, true, inDto.Type == EmployeeType.User, inDto.FromInviteLink, true, true, byEmail, inDto.Type == EmployeeType.DocSpaceAdmin);
+        user = await _userManagerWrapper.AddUser(user, inDto.PasswordHash, inDto.FromInviteLink, true, inDto.Type == EmployeeType.User, inDto.FromInviteLink && options.IsCorrect, true, true, byEmail, inDto.Type == EmployeeType.DocSpaceAdmin);
 
         await UpdateDepartments(inDto.Department, user);
 
@@ -302,6 +301,11 @@ public class UserController : PeopleControllerBase
     {
         foreach (var invite in inDto.Invitations)
         {
+            if (!_permissionContext.CheckPermissions(new UserSecurityProvider(Guid.Empty, invite.Type), Constants.Action_AddRemoveUser))
+            {
+                continue;
+            }
+
             var user = await _userManagerWrapper.AddInvitedUserAsync(invite.Email, invite.Type);
             var link = _roomLinkService.GetInvitationLink(user.Email, invite.Type, _authContext.CurrentAccount.ID);
 

web/ASC.Web.Api/Api/PortalController.cs

@@ -143,9 +143,9 @@ public class PortalController : ControllerBase
     [HttpGet("users/invite/{employeeType}")]
     public object GeInviteLink(EmployeeType employeeType)
     {
-        if (!_webItemSecurity.IsProductAdministrator(WebItemManager.PeopleProductID, _authContext.CurrentAccount.ID))
+        if (!_permissionContext.CheckPermissions(new UserSecurityProvider(Guid.Empty, employeeType), ASC.Core.Users.Constants.Action_AddRemoveUser))
         {
-            throw new SecurityException("Method not available");
+            return string.Empty;
         }
 
         return _commonLinkUtility.GetConfirmationEmailUrl(string.Empty, ConfirmType.LinkInvite, (int)employeeType, _authContext.CurrentAccount.ID)

web/ASC.Web.Core/Users/UserManagerWrapper.cs

@@ -117,12 +117,7 @@ public sealed class UserManagerWrapper
 
         if (_userManager.GetUserByEmail(mail.Address).Id != Constants.LostUser.Id)
         {
-            throw new InvalidOperationException($"User with email {mail.Address} already exists or is invited");
+            throw new Exception(_customNamingPeople.Substitute<Resource>("ErrorEmailAlreadyExists"));
-        }
-
-        if (type is EmployeeType.RoomAdmin or EmployeeType.DocSpaceAdmin)
-        {
-            await _countManagerChecker.CheckAppend();
         }
 
         var user = new UserInfo
@@ -135,7 +130,9 @@ public sealed class UserManagerWrapper
             Status = EmployeeStatus.Active,
         };
 
-        var newUser = await _userManager.SaveUserInfo(user);
+        user.UserName = MakeUniqueName(user);
+
+        var newUser = await _userManager.SaveUserInfo(user, type == EmployeeType.User);
 
         var groupId = type switch
         {
@@ -226,11 +223,11 @@ public sealed class UserManagerWrapper
 
         if (isUser)
         {
-            await _userManager.AddUserIntoGroup(newUserInfo.Id, Constants.GroupUser.ID);
+            await _userManager.AddUserIntoGroup(newUserInfo.Id, Constants.GroupUser.ID, true);
         }
         else if (isAdmin)
         {
-            await _userManager.AddUserIntoGroup(newUserInfo.Id, Constants.GroupAdmin.ID);
+            await _userManager.AddUserIntoGroup(newUserInfo.Id, Constants.GroupAdmin.ID, true);
         }
 
         return newUserInfo;