Org managers have full access to projects owned by their org (#919)

rmunn · hahn-kev · web-flow · commit e99ed2171364 · 2024-07-08T15:50:43.000+07:00
* Org managers have full access to projects in their org

Org managers can view, edit, and sync any projects owned by the org they
manage, even if they themselves are not explicitly listed as a member of
that project. This is similar to how site admins have full access to
anything, except restricted to projects owned by the org(s) in question.

* Await PermissionService calls that are now async

Some PermissionService calls now have to be async because they query the
database. We try to cache the results of those queries when possible to
save time, but the queries still need to be async. Async calls can't be
used in the Where clause of a LINQ expression, so CanSyncProject had to
be split into sync and async versions; the sync version doesn't query
whether a user is an org manager/admin, but the only place where it's
called is in a method that has already checked org managership earlier.

* Allow org admins to edit project data in frontend

* Fix LexAuthUserTests

* Set up to test cloning confidential projects

First step is to teach integration fixture how to create confidential
projects.

* IntegrationFixture can now create projects owned by orgs

Now we're ready to test Send/Receive of confidential projects by an org
manager who's not explicitly listed as a project member.

* Test S/R of confidential project by org manager

* Cache project ID to org IDs list for 1 hour

This will greatly reduce the number of lookups that need to be made when
an organization manager are trying to manage a project that he's not an
explicit member of.

* Also cache project confidentiality for 1 hour

---------

Co-authored-by: Kevin Hahn &lt;kevin_hahn@sil.org&gt;
diff --git a/backend/LexBoxApi/Auth/JwtTicketDataFormat.cs b/backend/LexBoxApi/Auth/JwtTicketDataFormat.cs
@@ -93,7 +93,7 @@ public static void FixUpArrayClaims(JwtSecurityToken token)
         {
             if (!token.Payload.TryGetValue(claimName, out var value))
             {
-                return; // no claim to fix up, so nothing to do
+                continue; // no claim to fix up, so nothing to do
             }
 
             // if there's only 1 object it will be a stored in the payload as just an object and not an array.
diff --git a/backend/LexBoxApi/Controllers/IntegrationController.cs b/backend/LexBoxApi/Controllers/IntegrationController.cs
@@ -35,7 +35,7 @@ public class IntegrationController(
     [ProducesResponseType(StatusCodes.Status302Found)]
     public async Task<ActionResult> OpenWithFlex(Guid projectId)
     {
-        if (!permissionService.CanSyncProject(projectId)) return Unauthorized();
+        if (!await permissionService.CanSyncProjectAsync(projectId)) return Unauthorized();
         var project = await lexBoxDbContext.Projects.FirstOrDefaultAsync(p => p.Id == projectId);
         if (project is null) return NotFound();
         var repoId = await hgService.GetRepositoryIdentifier(project);
diff --git a/backend/LexBoxApi/GraphQL/OrgMutations.cs b/backend/LexBoxApi/GraphQL/OrgMutations.cs
@@ -1,6 +1,7 @@
 ﻿using LexBoxApi.Auth;
 using LexBoxApi.Auth.Attributes;
 using LexBoxApi.Models.Org;
+using LexBoxApi.Services;
 using LexCore.Entities;
 using LexCore.Exceptions;
 using LexCore.ServiceInterfaces;
@@ -61,6 +62,7 @@ public async Task<Organization> DeleteOrg(Guid orgId,
     public async Task<IQueryable<Organization>> AddProjectToOrg(
         LexBoxDbContext dbContext,
         IPermissionService permissionService,
+        [Service] ProjectService projectService,
         Guid orgId,
         Guid projectId)
     {
@@ -71,7 +73,7 @@ public async Task<IQueryable<Organization>> AddProjectToOrg(
             .Include(p => p.Organizations)
             .SingleOrDefaultAsync();
         NotFoundException.ThrowIfNull(project);
-        permissionService.AssertCanManageProject(projectId);
+        await permissionService.AssertCanManageProject(projectId);
 
         if (project.Organizations.Exists(o => o.Id == orgId))
         {
@@ -81,6 +83,7 @@ public async Task<IQueryable<Organization>> AddProjectToOrg(
         project.Organizations.Add(org);
         project.UpdateUpdatedDate();
         org.UpdateUpdatedDate();
+        projectService.InvalidateProjectOrgIdsCache(projectId);
         await dbContext.SaveChangesAsync();
         return dbContext.Orgs.Where(o => o.Id == orgId);
     }
@@ -93,6 +96,7 @@ public async Task<IQueryable<Organization>> AddProjectToOrg(
     public async Task<IQueryable<Organization>> RemoveProjectFromOrg(
         LexBoxDbContext dbContext,
         IPermissionService permissionService,
+        [Service] ProjectService projectService,
         Guid orgId,
         Guid projectId)
     {
@@ -103,13 +107,14 @@ public async Task<IQueryable<Organization>> RemoveProjectFromOrg(
             .Include(p => p.Organizations)
             .SingleOrDefaultAsync();
         NotFoundException.ThrowIfNull(project);
-        permissionService.AssertCanManageProject(projectId);
+        await permissionService.AssertCanManageProject(projectId);
         var foundOrg = project.Organizations.FirstOrDefault(o => o.Id == orgId);
         if (foundOrg is not null)
         {
             project.Organizations.Remove(foundOrg);
             project.UpdateUpdatedDate();
             org.UpdateUpdatedDate();
+            projectService.InvalidateProjectOrgIdsCache(projectId);
             await dbContext.SaveChangesAsync();
         }
         // If org did not own project, return with no error
diff --git a/backend/LexBoxApi/GraphQL/ProjectMutations.cs b/backend/LexBoxApi/GraphQL/ProjectMutations.cs
@@ -75,7 +75,7 @@ public async Task<IQueryable<Project>> AddProjectMember(IPermissionService permi
         LexBoxDbContext dbContext,
         [Service] IEmailService emailService)
     {
-        permissionService.AssertCanManageProject(input.ProjectId);
+        await permissionService.AssertCanManageProject(input.ProjectId);
         var project = await dbContext.Projects.FindAsync(input.ProjectId);
         NotFoundException.ThrowIfNull(project);
         var user = await dbContext.Users.Include(u => u.Projects).FindByEmailOrUsername(input.UsernameOrEmail);
@@ -231,7 +231,7 @@ public async Task<IQueryable<ProjectUsers>> ChangeProjectMemberRole(
         IPermissionService permissionService,
         LexBoxDbContext dbContext)
     {
-        permissionService.AssertCanManageProjectMemberRole(input.ProjectId, input.UserId);
+        await permissionService.AssertCanManageProjectMemberRole(input.ProjectId, input.UserId);
         var projectUser =
             await dbContext.ProjectUsers
                 .Include(r => r.Project)
@@ -259,7 +259,7 @@ public async Task<IQueryable<Project>> ChangeProjectName(ChangeProjectNameInput
         IPermissionService permissionService,
         LexBoxDbContext dbContext)
     {
-        permissionService.AssertCanManageProject(input.ProjectId);
+        await permissionService.AssertCanManageProject(input.ProjectId);
         if (input.Name.IsNullOrEmpty()) throw new RequiredException("Project name cannot be empty");
 
         var project = await dbContext.Projects.FindAsync(input.ProjectId);
@@ -280,7 +280,7 @@ public async Task<IQueryable<Project>> ChangeProjectDescription(ChangeProjectDes
         IPermissionService permissionService,
         LexBoxDbContext dbContext)
     {
-        permissionService.AssertCanManageProject(input.ProjectId);
+        await permissionService.AssertCanManageProject(input.ProjectId);
         var project = await dbContext.Projects.FindAsync(input.ProjectId);
         NotFoundException.ThrowIfNull(project);
 
@@ -297,14 +297,16 @@ public async Task<IQueryable<Project>> ChangeProjectDescription(ChangeProjectDes
     [UseProjection]
     public async Task<IQueryable<Project>> SetProjectConfidentiality(SetProjectConfidentialityInput input,
         IPermissionService permissionService,
+        [Service] ProjectService projectService,
         LexBoxDbContext dbContext)
     {
-        permissionService.AssertCanManageProject(input.ProjectId);
+        await permissionService.AssertCanManageProject(input.ProjectId);
         var project = await dbContext.Projects.FindAsync(input.ProjectId);
         NotFoundException.ThrowIfNull(project);
 
         project.IsConfidential = input.IsConfidential;
         project.UpdateUpdatedDate();
+        projectService.InvalidateProjectConfidentialityCache(input.ProjectId);
         await dbContext.SaveChangesAsync();
         return dbContext.Projects.Where(p => p.Id == input.ProjectId);
     }
@@ -340,7 +342,7 @@ public async Task<IQueryable<Project>> RemoveProjectMember(RemoveProjectMemberIn
         IPermissionService permissionService,
         LexBoxDbContext dbContext)
     {
-        permissionService.AssertCanManageProject(input.ProjectId);
+        await permissionService.AssertCanManageProject(input.ProjectId);
         await dbContext.ProjectUsers.Where(pu => pu.ProjectId == input.ProjectId && pu.UserId == input.UserId)
             .ExecuteDeleteAsync();
         // Not doing .Include() above because we don't want the project or user removed, just the many-to-many table row
@@ -379,10 +381,11 @@ public async Task<DraftProject> DeleteDraftProject(
     public async Task<IQueryable<Project>> SoftDeleteProject(
         Guid projectId,
         IPermissionService permissionService,
+        [Service] ProjectService projectService,
         LexBoxDbContext dbContext,
         IHgService hgService)
     {
-        permissionService.AssertCanManageProject(projectId);
+        await permissionService.AssertCanManageProject(projectId);
 
         var project = await dbContext.Projects.Include(p => p.Users).FirstOrDefaultAsync(p => p.Id == projectId);
         if (project is null)
@@ -402,6 +405,7 @@ public async Task<IQueryable<Project>> SoftDeleteProject(
         using var transaction = await dbContext.Database.BeginTransactionAsync();
         await dbContext.SaveChangesAsync();
         await hgService.SoftDeleteRepo(projectCode, timestamp);
+        projectService.InvalidateProjectConfidentialityCache(projectId);
         await transaction.CommitAsync();
 
         return dbContext.Projects.Where(p => p.Id == projectId);
diff --git a/backend/LexBoxApi/Services/PermissionService.cs b/backend/LexBoxApi/Services/PermissionService.cs
@@ -2,23 +2,33 @@
 using LexCore.Auth;
 using LexCore.Entities;
 using LexCore.ServiceInterfaces;
-using LexData;
 
 namespace LexBoxApi.Services;
 
 public class PermissionService(
     LoggedInContext loggedInContext,
-    LexBoxDbContext dbContext,
     ProjectService projectService)
     : IPermissionService
 {
     private LexAuthUser? User => loggedInContext.MaybeUser;
 
+    private async ValueTask<bool> ManagesOrgThatOwnsProject(Guid projectId)
+    {
+        if (User is not null && User.Orgs.Any(o => o.Role == OrgRole.Admin))
+        {
+            // Org admins can view, edit, and sync all projects, even confidential ones
+            var managedOrgIds = User.Orgs.Where(o => o.Role == OrgRole.Admin).Select(o => o.OrgId).ToHashSet();
+            var projectOrgIds = await projectService.LookupProjectOrgIds(projectId);
+            if (projectOrgIds.Any(oId => managedOrgIds.Contains(oId))) return true;
+        }
+        return false;
+    }
+
     public async ValueTask<bool> CanSyncProject(string projectCode)
     {
         if (User is null) return false;
         if (User.Role == UserRole.admin) return true;
-        return CanSyncProject(await projectService.LookupProjectId(projectCode));
+        return await CanSyncProjectAsync(await projectService.LookupProjectId(projectCode));
     }
 
     public bool CanSyncProject(Guid projectId)
@@ -29,24 +39,32 @@ public bool CanSyncProject(Guid projectId)
         return User.Projects.Any(p => p.ProjectId == projectId);
     }
 
+    public async ValueTask<bool> CanSyncProjectAsync(Guid projectId)
+    {
+        if (CanSyncProject(projectId)) return true;
+        // Org managers can sync any project owned by their org(s)
+        return await ManagesOrgThatOwnsProject(projectId);
+    }
+
     public async ValueTask AssertCanSyncProject(string projectCode)
     {
         if (!await CanSyncProject(projectCode)) throw new UnauthorizedAccessException();
     }
 
-    public void AssertCanSyncProject(Guid projectId)
+    public async ValueTask AssertCanSyncProject(Guid projectId)
     {
-        if (!CanSyncProject(projectId)) throw new UnauthorizedAccessException();
+        if (!await CanSyncProjectAsync(projectId)) throw new UnauthorizedAccessException();
     }
 
     public async ValueTask<bool> CanViewProject(Guid projectId)
     {
         if (User is not null && User.Role == UserRole.admin) return true;
         if (User is not null && User.Projects.Any(p => p.ProjectId == projectId)) return true;
-        var project = await dbContext.Projects.FindAsync(projectId);
-        if (project is null) return false;
-        if (project.IsConfidential is null) return false; // Private by default
-        return project.IsConfidential == false; // Explicitly set to public
+        // Org admins can view all projects, even confidential ones
+        if (await ManagesOrgThatOwnsProject(projectId)) return true;
+        var isConfidential = await projectService.LookupProjectConfidentiality(projectId);
+        if (isConfidential is null) return false; // Private by default
+        return isConfidential == false; // Explicitly set to public
     }
 
     public async ValueTask AssertCanViewProject(Guid projectId)
@@ -65,22 +83,23 @@ public async ValueTask AssertCanViewProject(string projectCode)
         if (!await CanViewProject(projectCode)) throw new UnauthorizedAccessException();
     }
 
-    public bool CanManageProject(Guid projectId)
+    public async ValueTask<bool> CanManageProject(Guid projectId)
     {
         if (User is null) return false;
         if (User.Role == UserRole.admin) return true;
-        return User.Projects.Any(p => p.ProjectId == projectId && p.Role == ProjectRole.Manager);
+        if (User.Projects.Any(p => p.ProjectId == projectId && p.Role == ProjectRole.Manager)) return true;
+        return await ManagesOrgThatOwnsProject(projectId);
     }
 
-    public void AssertCanManageProject(Guid projectId)
+    public async ValueTask AssertCanManageProject(Guid projectId)
     {
-        if (!CanManageProject(projectId)) throw new UnauthorizedAccessException();
+        if (!await CanManageProject(projectId)) throw new UnauthorizedAccessException();
     }
 
-    public void AssertCanManageProjectMemberRole(Guid projectId, Guid userId)
+    public async ValueTask AssertCanManageProjectMemberRole(Guid projectId, Guid userId)
     {
         if (User is null) throw new UnauthorizedAccessException();
-        AssertCanManageProject(projectId);
+        await AssertCanManageProject(projectId);
         if (User.Role != UserRole.admin && userId == User.Id)
             throw new UnauthorizedAccessException("Not allowed to change own project role.");
     }
diff --git a/backend/LexBoxApi/Services/ProjectService.cs b/backend/LexBoxApi/Services/ProjectService.cs
@@ -52,6 +52,8 @@ public async Task<Guid> CreateProject(CreateProjectInput input)
         }
         await dbContext.SaveChangesAsync();
         await hgService.InitRepo(input.Code);
+        InvalidateProjectOrgIdsCache(projectId);
+        InvalidateProjectConfidentialityCache(projectId);
         await transaction.CommitAsync();
         return projectId;
     }
@@ -133,6 +135,39 @@ public async Task FinishReset(string code, Stream? zipFile = null)
         await dbContext.SaveChangesAsync();
     }
 
+    public async ValueTask<Guid[]> LookupProjectOrgIds(Guid projectId)
+    {
+        var cacheKey = $"ProjectOrgsForId:{projectId}";
+        if (memoryCache.TryGetValue(cacheKey, out Guid[]? orgIds)) return orgIds ?? [];
+        orgIds = await dbContext.Projects
+            .Where(p => p.Id == projectId)
+            .Select(p => p.Organizations.Select(o => o.Id).ToArray())
+            .FirstOrDefaultAsync();
+        memoryCache.Set(cacheKey, orgIds, TimeSpan.FromHours(1));
+        return orgIds ?? [];
+    }
+
+    public void InvalidateProjectOrgIdsCache(Guid projectId)
+    {
+        try { memoryCache.Remove($"ProjectOrgsForId:{projectId}"); }
+        catch (Exception) { } // Never allow this to throw
+    }
+
+    public async ValueTask<bool?> LookupProjectConfidentiality(Guid projectId)
+    {
+        var cacheKey = $"ProjectConfidentiality:{projectId}";
+        if (memoryCache.TryGetValue(cacheKey, out bool? confidential)) return confidential;
+        var project = await dbContext.Projects.FindAsync(projectId);
+        memoryCache.Set(cacheKey, project?.IsConfidential, TimeSpan.FromHours(1));
+        return project?.IsConfidential;
+    }
+
+    public void InvalidateProjectConfidentialityCache(Guid projectId)
+    {
+        try { memoryCache.Remove($"ProjectConfidentiality:{projectId}"); }
+        catch (Exception) { } // Never allow this to throw
+    }
+
     public async Task UpdateProjectMetadataForCode(string projectCode)
     {
         var project = await dbContext.Projects
diff --git a/backend/LexCore/Entities/Organization.cs b/backend/LexCore/Entities/Organization.cs
@@ -1,5 +1,6 @@
 using System.ComponentModel.DataAnnotations.Schema;
 using System.Linq.Expressions;
+using System.Text.Json.Serialization;
 using EntityFrameworkCore.Projectables;
 
 namespace LexCore.Entities;
@@ -30,6 +31,7 @@ public class OrgMember : EntityBase
     public Organization? Organization { get; set; }
 }
 
+[JsonConverter(typeof(JsonStringEnumConverter))]
 public enum OrgRole
 {
     Unknown = 0,
diff --git a/backend/LexCore/ServiceInterfaces/IPermissionService.cs b/backend/LexCore/ServiceInterfaces/IPermissionService.cs
@@ -5,16 +5,24 @@ namespace LexCore.ServiceInterfaces;
 public interface IPermissionService
 {
     ValueTask<bool> CanSyncProject(string projectCode);
+    /// <summary>
+    /// Does NOT check permissions for org managers, because that requires async DB access.
+    /// Use CanSyncProject(projectCode) or CanSyncProjectAsync(projectId) if org manager permissions also need to be checked.
+    /// </summary>
     bool CanSyncProject(Guid projectId);
+    /// <summary>
+    /// Does all the checks from CanSyncProject, plus allows org managers to access the org as well.
+    /// </summary>
+    ValueTask<bool> CanSyncProjectAsync(Guid projectId);
     ValueTask AssertCanSyncProject(string projectCode);
-    void AssertCanSyncProject(Guid projectId);
+    ValueTask AssertCanSyncProject(Guid projectId);
     ValueTask<bool> CanViewProject(Guid projectId);
     ValueTask AssertCanViewProject(Guid projectId);
     ValueTask<bool> CanViewProject(string projectCode);
     ValueTask AssertCanViewProject(string projectCode);
-    bool CanManageProject(Guid projectId);
-    void AssertCanManageProject(Guid projectId);
-    void AssertCanManageProjectMemberRole(Guid projectId, Guid userId);
+    ValueTask<bool> CanManageProject(Guid projectId);
+    ValueTask AssertCanManageProject(Guid projectId);
+    ValueTask AssertCanManageProjectMemberRole(Guid projectId, Guid userId);
     void AssertIsAdmin();
     void AssertCanDeleteAccount(Guid userId);
     bool HasProjectCreatePermission();
diff --git a/backend/Testing/Fixtures/IntegrationFixture.cs b/backend/Testing/Fixtures/IntegrationFixture.cs
@@ -55,9 +55,9 @@ private static void InitTemplateRepo()
         }
     }
 
-    public ProjectConfig InitLocalFlexProjectWithRepo(HgProtocol? protocol = null, [CallerMemberName] string projectName = "")
+    public ProjectConfig InitLocalFlexProjectWithRepo(HgProtocol? protocol = null, bool isConfidential = false, Guid? owningOrgId = null, [CallerMemberName] string projectName = "")
     {
-        var projectConfig = Utils.GetNewProjectConfig(protocol, projectName);
+        var projectConfig = Utils.GetNewProjectConfig(protocol, isConfidential, owningOrgId, projectName);
         InitLocalFlexProjectWithRepo(projectConfig);
         return projectConfig;
     }
diff --git a/backend/Testing/LexCore/LexAuthUserTests.cs b/backend/Testing/LexCore/LexAuthUserTests.cs
@@ -36,6 +36,7 @@ static LexAuthUserTests()
         Name = "test",
         UpdatedDate = DateTimeOffset.Now.ToUnixTimeSeconds(),
         Locale = "en",
+        Orgs = [ new AuthUserOrg(OrgRole.Admin, LexData.SeedingData.TestOrgId) ],
         Projects = new[]
         {
             new AuthUserProject(ProjectRole.Manager, new Guid("42f566c0-a4d2-48b5-a1e1-59c82289ff99"))
@@ -183,7 +184,8 @@ public void CanParseFromKnownGoodJwt()
         var newUser = LexAuthUser.FromClaimsPrincipal(principal);
         newUser.ShouldNotBeNull();
         newUser.UpdatedDate.ShouldBe(0);
-        //old jwt doesn't have updated date, we're ok with that so we correct the value to make the equivalence work
+        //old jwt doesn't have updated date or orgs, we're ok with that so we correct the values to make the equivalence work
+        newUser.Orgs = [ new AuthUserOrg(OrgRole.Admin, LexData.SeedingData.TestOrgId) ];
         newUser.UpdatedDate = _user.UpdatedDate;
         newUser.ShouldBeEquivalentTo(_user);
     }
diff --git a/backend/Testing/Services/Utils.cs b/backend/Testing/Services/Utils.cs
diff --git a/backend/Testing/SyncReverseProxy/SendReceiveServiceTests.cs b/backend/Testing/SyncReverseProxy/SendReceiveServiceTests.cs
diff --git a/frontend/src/lib/user.ts b/frontend/src/lib/user.ts
diff --git a/frontend/src/routes/(authenticated)/project/[project_code]/+page.svelte b/frontend/src/routes/(authenticated)/project/[project_code]/+page.svelte
diff --git a/frontend/src/routes/(authenticated)/project/[project_code]/+page.ts b/frontend/src/routes/(authenticated)/project/[project_code]/+page.ts

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ public static void FixUpArrayClaims(JwtSecurityToken token)`
`93`	`93`	`{`
`94`	`94`	`if (!token.Payload.TryGetValue(claimName, out var value))`
`95`	`95`	`{`
`96`		`- return; // no claim to fix up, so nothing to do`
	`96`	`+ continue; // no claim to fix up, so nothing to do`
`97`	`97`	`}`
`98`	`98`
`99`	`99`	`// if there's only 1 object it will be a stored in the payload as just an object and not an array.`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ public class IntegrationController(`
`35`	`35`	`[ProducesResponseType(StatusCodes.Status302Found)]`
`36`	`36`	`public async Task<ActionResult> OpenWithFlex(Guid projectId)`
`37`	`37`	`{`
`38`		`- if (!permissionService.CanSyncProject(projectId)) return Unauthorized();`
	`38`	`+ if (!await permissionService.CanSyncProjectAsync(projectId)) return Unauthorized();`
`39`	`39`	`var project = await lexBoxDbContext.Projects.FirstOrDefaultAsync(p => p.Id == projectId);`
`40`	`40`	`if (project is null) return NotFound();`
`41`	`41`	`var repoId = await hgService.GetRepositoryIdentifier(project);`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`using System.ComponentModel.DataAnnotations.Schema;`
`2`	`2`	`using System.Linq.Expressions;`
	`3`	`+using System.Text.Json.Serialization;`
`3`	`4`	`using EntityFrameworkCore.Projectables;`
`4`	`5`
`5`	`6`	`namespace LexCore.Entities;`
`@@ -30,6 +31,7 @@ public class OrgMember : EntityBase`
`30`	`31`	`public Organization? Organization { get; set; }`
`31`	`32`	`}`
`32`	`33`
	`34`	`+[JsonConverter(typeof(JsonStringEnumConverter))]`
`33`	`35`	`public enum OrgRole`
`34`	`36`	`{`
`35`	`37`	`Unknown = 0,`
Original file line number	Diff line number	Diff line change
`@@ -55,9 +55,9 @@ private static void InitTemplateRepo()`
`55`	`55`	`}`
`56`	`56`	`}`
`57`	`57`
`58`		`- public ProjectConfig InitLocalFlexProjectWithRepo(HgProtocol? protocol = null, [CallerMemberName] string projectName = "")`
	`58`	`+ public ProjectConfig InitLocalFlexProjectWithRepo(HgProtocol? protocol = null, bool isConfidential = false, Guid? owningOrgId = null, [CallerMemberName] string projectName = "")`
`59`	`59`	`{`
`60`		`- var projectConfig = Utils.GetNewProjectConfig(protocol, projectName);`
	`60`	`+ var projectConfig = Utils.GetNewProjectConfig(protocol, isConfidential, owningOrgId, projectName);`
`61`	`61`	`InitLocalFlexProjectWithRepo(projectConfig);`
`62`	`62`	`return projectConfig;`
`63`	`63`	`}`