fix: scope organization access by membership

backend/src/Socialize.Api/Modules/Campaigns/Handlers/GetCampaigns.cs

@@ -34,23 +34,20 @@ internal class GetCampaignsHandler(
     {
         IQueryable<Campaign> query = dbContext.Campaigns.AsQueryable();
 
-        if (!AccessScopeService.IsManager(User))
+        IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
+        IReadOnlyCollection<Guid> clientScopeIds = User.GetClientScopeIds();
+        IReadOnlyCollection<Guid> campaignScopeIds = User.GetCampaignScopeIds();
+
+        query = query.Where(campaign => workspaceScopeIds.Contains(campaign.WorkspaceId));
+
+        if (!AccessScopeService.IsManager(User) && clientScopeIds.Count > 0)
         {
-            IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
-            IReadOnlyCollection<Guid> clientScopeIds = User.GetClientScopeIds();
-            IReadOnlyCollection<Guid> campaignScopeIds = User.GetCampaignScopeIds();
+            query = query.Where(campaign => clientScopeIds.Contains(campaign.ClientId));
+        }
 
-            query = query.Where(campaign => workspaceScopeIds.Contains(campaign.WorkspaceId));
-
-            if (clientScopeIds.Count > 0)
-            {
-                query = query.Where(campaign => clientScopeIds.Contains(campaign.ClientId));
-            }
-
-            if (campaignScopeIds.Count > 0)
-            {
-                query = query.Where(campaign => campaignScopeIds.Contains(campaign.Id));
-            }
+        if (!AccessScopeService.IsManager(User) && campaignScopeIds.Count > 0)
+        {
+            query = query.Where(campaign => campaignScopeIds.Contains(campaign.Id));
         }
 
         if (request.ClientId.HasValue)

backend/src/Socialize.Api/Modules/Channels/Handlers/GetChannels.cs

@@ -23,11 +23,8 @@ internal class GetChannelsHandler(
     {
         IQueryable<Channel> query = dbContext.Channels.AsQueryable();
 
-        if (!AccessScopeService.IsManager(User))
-        {
-            IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
-            query = query.Where(channel => workspaceScopeIds.Contains(channel.WorkspaceId));
-        }
+        IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
+        query = query.Where(channel => workspaceScopeIds.Contains(channel.WorkspaceId));
 
         if (request.WorkspaceId.HasValue)
         {

backend/src/Socialize.Api/Modules/Clients/Handlers/GetClients.cs

@@ -33,18 +33,14 @@ internal class GetClientsHandler(
     {
         IQueryable<Client> query = dbContext.Clients.AsQueryable();
 
-        if (!AccessScopeService.IsManager(User))
+        IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
+        IReadOnlyCollection<Guid> clientScopeIds = User.GetClientScopeIds();
+
+        query = query.Where(client => workspaceScopeIds.Contains(client.WorkspaceId));
+
+        if (!AccessScopeService.IsManager(User) && clientScopeIds.Count > 0)
         {
-            IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
-            IReadOnlyCollection<Guid> clientScopeIds = User.GetClientScopeIds();
-
-            query = query.Where(client => workspaceScopeIds.Contains(client.WorkspaceId));
-
-            if (clientScopeIds.Count > 0)
-            {
-                query = query.Where(client => clientScopeIds.Contains(client.Id));
-            }
-
+            query = query.Where(client => clientScopeIds.Contains(client.Id));
         }
 
         if (request.WorkspaceId.HasValue)

backend/src/Socialize.Api/Modules/ContentItems/Handlers/GetContentItems.cs

@@ -37,23 +37,20 @@ internal class GetContentItemsHandler(
     {
         IQueryable<ContentItem> query = dbContext.ContentItems.AsQueryable();
 
-        if (!AccessScopeService.IsManager(User))
+        IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
+        IReadOnlyCollection<Guid> clientScopeIds = User.GetClientScopeIds();
+        IReadOnlyCollection<Guid> campaignScopeIds = User.GetCampaignScopeIds();
+
+        query = query.Where(item => workspaceScopeIds.Contains(item.WorkspaceId));
+
+        if (!AccessScopeService.IsManager(User) && clientScopeIds.Count > 0)
         {
-            IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
-            IReadOnlyCollection<Guid> clientScopeIds = User.GetClientScopeIds();
-            IReadOnlyCollection<Guid> campaignScopeIds = User.GetCampaignScopeIds();
+            query = query.Where(item => clientScopeIds.Contains(item.ClientId));
+        }
 
-            query = query.Where(item => workspaceScopeIds.Contains(item.WorkspaceId));
-
-            if (clientScopeIds.Count > 0)
-            {
-                query = query.Where(item => clientScopeIds.Contains(item.ClientId));
-            }
-
-            if (campaignScopeIds.Count > 0)
-            {
-                query = query.Where(item => campaignScopeIds.Contains(item.CampaignId));
-            }
+        if (!AccessScopeService.IsManager(User) && campaignScopeIds.Count > 0)
+        {
+            query = query.Where(item => campaignScopeIds.Contains(item.CampaignId));
         }
 
         if (request.WorkspaceId.HasValue)

backend/src/Socialize.Api/Modules/Notifications/Handlers/GetNotifications.cs

@@ -56,13 +56,10 @@ internal class GetNotificationsHandler(
         IQueryable<NotificationEvent> query = dbContext.NotificationEvents.AsQueryable();
         Guid currentUserId = User.GetUserId();
 
-        if (!AccessScopeService.IsManager(User))
-        {
-            IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
-            query = query.Where(notificationEvent =>
-                workspaceScopeIds.Contains(notificationEvent.WorkspaceId) ||
-                notificationEvent.RecipientUserId == currentUserId);
-        }
+        IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
+        query = query.Where(notificationEvent =>
+            workspaceScopeIds.Contains(notificationEvent.WorkspaceId) ||
+            notificationEvent.RecipientUserId == currentUserId);
 
         query = query.Where(notificationEvent =>
             notificationEvent.RecipientUserId == null ||

backend/src/Socialize.Api/Modules/Organizations/Services/OrganizationAccessService.cs

@@ -2,29 +2,16 @@ using System.Security.Claims;
 using Microsoft.EntityFrameworkCore;
 using Socialize.Api.Data;
 using Socialize.Api.Infrastructure.Security;
-using Socialize.Api.Modules.Identity.Contracts;
 
 namespace Socialize.Api.Modules.Organizations.Services;
 
 internal sealed class OrganizationAccessService(
     AppDbContext dbContext)
 {
-    public static bool IsGlobalManager(ClaimsPrincipal user)
-    {
-        return user.IsInRole(KnownRoles.Administrator) || user.IsInRole(KnownRoles.Manager);
-    }
-
     public async Task<IReadOnlyCollection<Guid>> GetAccessibleOrganizationIdsAsync(
         ClaimsPrincipal user,
         CancellationToken ct)
     {
-        if (IsGlobalManager(user))
-        {
-            return await dbContext.Organizations
-                .Select(organization => organization.Id)
-                .ToArrayAsync(ct);
-        }
-
         Guid userId = user.GetUserId();
 
         Guid[] ownedOrganizationIds = await dbContext.Organizations
@@ -47,13 +34,6 @@ internal sealed class OrganizationAccessService(
         ClaimsPrincipal user,
         CancellationToken ct)
     {
-        if (IsGlobalManager(user))
-        {
-            return await dbContext.Workspaces
-                .Select(workspace => workspace.Id)
-                .ToArrayAsync(ct);
-        }
-
         Guid[] directWorkspaceIds = user.GetWorkspaceScopeIds().ToArray();
         Guid[] organizationWorkspaceIds = await GetInheritedWorkspaceIdsAsync(user, OrganizationPermissions.AccessOwnedWorkspaces, ct);
 
@@ -68,11 +48,6 @@ internal sealed class OrganizationAccessService(
         Guid organizationId,
         CancellationToken ct)
     {
-        if (IsGlobalManager(user))
-        {
-            return true;
-        }
-
         Guid userId = user.GetUserId();
 
         return await dbContext.Organizations.AnyAsync(
@@ -89,11 +64,6 @@ internal sealed class OrganizationAccessService(
         string permission,
         CancellationToken ct)
     {
-        if (IsGlobalManager(user))
-        {
-            return true;
-        }
-
         Guid userId = user.GetUserId();
 
         bool owner = await dbContext.Organizations.AnyAsync(
@@ -117,11 +87,6 @@ internal sealed class OrganizationAccessService(
         Guid organizationId,
         CancellationToken ct)
     {
-        if (IsGlobalManager(user))
-        {
-            return OrganizationPermissionRules.GetPermissionsForRole(OrganizationRoles.Owner);
-        }
-
         Guid userId = user.GetUserId();
 
         bool owner = await dbContext.Organizations.AnyAsync(
@@ -150,11 +115,6 @@ internal sealed class OrganizationAccessService(
         string permission,
         CancellationToken ct)
     {
-        if (IsGlobalManager(user))
-        {
-            return true;
-        }
-
         Guid? organizationId = await dbContext.Workspaces
             .Where(workspace => workspace.Id == workspaceId)
             .Select(workspace => (Guid?)workspace.OrganizationId)