[PM-11162] Assign To Collections Permission Update (#11367)

Only users with Manage/Edit permissions will be allowed to Assign To Collections. If the user has Can Edit Except Password the collections dropdown will be disabled. --------- Co-authored-by: Matt Bishop <mbishop@bitwarden.com> Co-authored-by: kejaeger <138028972+kejaeger@users.noreply.github.com>
2025-12-06 00:13:28 +00:00 · 2025-02-04 15:44:59 -05:00
parent 1b3bc71e50
commit 327aed9763
15 changed files with 143 additions and 142 deletions
--- a/apps/browser/src/_locales/en/messages.json
+++ b/apps/browser/src/_locales/en/messages.json
@@ -4155,15 +4155,6 @@
  "itemName": {
    "message": "Item name"
  },
-  "cannotRemoveViewOnlyCollections": {
-    "message": "You cannot remove collections with View only permissions: $COLLECTIONS$",
-    "placeholders": {
-      "collections": {
-        "content": "$1",
-        "example": "Work, Personal"
-      }
-    }
-  },
  "organizationIsDeactivated": {
    "message": "Organization is deactivated"
  },
@@ -4896,6 +4887,15 @@
  "extraWide": {
    "message": "Extra wide"
  },
+  "cannotRemoveViewOnlyCollections": {
+    "message": "You cannot remove collections with View only permissions: $COLLECTIONS$",
+    "placeholders": {
+      "collections": {
+        "content": "$1",
+        "example": "Work, Personal"
+      }
+    }
+  },
  "updateDesktopAppOrDisableFingerprintDialogTitle": {
    "message": "Please update your desktop application"
  },
--- a/apps/browser/src/vault/popup/components/vault-v2/item-more-options/item-more-options.component.html
+++ b/apps/browser/src/vault/popup/components/vault-v2/item-more-options/item-more-options.component.html
@@ -27,7 +27,7 @@
    <button type="button" bitMenuItem (click)="toggleFavorite()">
      {{ favoriteText | i18n }}
    </button>
-    <ng-container *ngIf="canEdit">
+    <ng-container *ngIf="canEdit && canViewPassword">
      <a bitMenuItem (click)="clone()" *ngIf="canClone$ | async">
        {{ "clone" | i18n }}
      </a>
--- a/apps/browser/src/vault/popup/components/vault-v2/item-more-options/item-more-options.component.ts
+++ b/apps/browser/src/vault/popup/components/vault-v2/item-more-options/item-more-options.component.ts
@@ -97,6 +97,9 @@ export class ItemMoreOptionsComponent implements OnInit {
    return this.cipher.edit;
  }

+  get canViewPassword() {
+    return this.cipher.viewPassword;
+  }
  /**
   * Determines if the cipher can be autofilled.
   */
--- a/apps/cli/src/commands/edit.command.ts
+++ b/apps/cli/src/commands/edit.command.ts
@@ -123,6 +123,9 @@ export class EditCommand {
        "Item does not belong to an organization. Consider moving it first.",
      );
    }
+    if (!cipher.viewPassword) {
+      return Response.noEditPermission();
+    }

    cipher.collectionIds = req;
    try {
--- a/apps/cli/src/models/response.ts
+++ b/apps/cli/src/models/response.ts
@@ -39,6 +39,10 @@ export class Response {
    return Response.error("Not found.");
  }

+  static noEditPermission(): Response {
+    return Response.error("You do not have permission to edit this item");
+  }
+
  static badRequest(message: string): Response {
    return Response.error(message);
  }
--- a/apps/desktop/src/vault/app/vault/collections.component.html
+++ b/apps/desktop/src/vault/app/vault/collections.component.html
@@ -21,6 +21,7 @@
                type="checkbox"
                [(ngModel)]="$any(c).checked"
                name="Collection[{{ i }}].Checked"
+                [disabled]="!cipher.canAssignToCollections"
              />
            </div>
          </div>
--- a/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts
+++ b/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts
@@ -42,6 +42,7 @@ export class VaultCipherRowComponent implements OnInit {
  @Input() collections: CollectionView[];
  @Input() viewingOrgVault: boolean;
  @Input() canEditCipher: boolean;
+  @Input() canAssignCollections: boolean;
  @Input() canManageCollection: boolean;

  @Output() onEvent = new EventEmitter<VaultItemEvent>();
@@ -101,7 +102,7 @@ export class VaultCipherRowComponent implements OnInit {
  }

  protected get showAssignToCollections() {
-    return this.organizations?.length && this.canEditCipher && !this.cipher.isDeleted;
+    return this.organizations?.length && this.canAssignCollections && !this.cipher.isDeleted;
  }

  protected get showClone() {
@@ -208,6 +209,6 @@ export class VaultCipherRowComponent implements OnInit {
      return true; // Always show checkbox in individual vault or for non-org items
    }

-    return this.organization.canEditAllCiphers || this.cipher.edit;
+    return this.organization.canEditAllCiphers || (this.cipher.edit && this.cipher.viewPassword);
  }
 }
--- a/apps/web/src/app/vault/components/vault-items/vault-items.component.html
+++ b/apps/web/src/app/vault/components/vault-items/vault-items.component.html
@@ -144,6 +144,7 @@
          [collections]="allCollections"
          [checked]="selection.isSelected(item)"
          [canEditCipher]="canEditCipher(item.cipher)"
+          [canAssignCollections]="canAssignCollections(item.cipher)"
          [canManageCollection]="canManageCollection(item.cipher)"
          (checkedToggled)="selection.toggle(item)"
          (onEvent)="event($event)"
--- a/apps/web/src/app/vault/components/vault-items/vault-items.component.ts
+++ b/apps/web/src/app/vault/components/vault-items/vault-items.component.ts
@@ -236,6 +236,13 @@ export class VaultItemsComponent {
    return (organization.canEditAllCiphers && this.viewingOrgVault) || cipher.edit;
  }

+  protected canAssignCollections(cipher: CipherView) {
+    const organization = this.allOrganizations.find((o) => o.id === cipher.organizationId);
+    return (
+      (organization?.canEditAllCiphers && this.viewingOrgVault) || cipher.canAssignToCollections
+    );
+  }
+
  protected canManageCollection(cipher: CipherView) {
    // If the cipher is not part of an organization (personal item), user can manage it
    if (cipher.organizationId == null) {
@@ -461,7 +468,7 @@ export class VaultItemsComponent {
  private allCiphersHaveEditAccess(): boolean {
    return this.selection.selected
      .filter(({ cipher }) => cipher)
-      .every(({ cipher }) => cipher?.edit);
+      .every(({ cipher }) => cipher?.edit && cipher?.viewPassword);
  }

  private getUniqueOrganizationIds(): Set<string> {
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -749,15 +749,6 @@
  "itemName": {
    "message": "Item name"
  },
-  "cannotRemoveViewOnlyCollections": {
-    "message": "You cannot remove collections with View only permissions: $COLLECTIONS$",
-    "placeholders": {
-      "collections": {
-        "content": "$1",
-        "example": "Work, Personal"
-      }
-    }
-  },
  "ex": {
    "message": "ex.",
    "description": "Short abbreviation for 'example'."
@@ -10143,6 +10134,15 @@
  "descriptorCode": {
    "message": "Descriptor code"
  },
+  "cannotRemoveViewOnlyCollections": {
+    "message": "You cannot remove collections with View only permissions: $COLLECTIONS$",
+    "placeholders": {
+      "collections": {
+        "content": "$1",
+        "example": "Work, Personal"
+      }
+    }
+  },
  "importantNotice": {
    "message": "Important notice"
  },
--- a/libs/common/src/vault/models/view/cipher.view.ts
+++ b/libs/common/src/vault/models/view/cipher.view.ts
@@ -142,6 +142,13 @@ export class CipherView implements View, InitializerMetadata {
    );
  }

+  get canAssignToCollections(): boolean {
+    if (this.organizationId == null) {
+      return true;
+    }
+
+    return this.edit && this.viewPassword;
+  }
  /**
   * Determines if the cipher can be launched in a new browser tab.
   */
--- a/libs/vault/src/cipher-form/components/item-details/item-details-section.component.html
+++ b/libs/vault/src/cipher-form/components/item-details/item-details-section.component.html
@@ -61,8 +61,8 @@
          formControlName="collectionIds"
          [baseItems]="collectionOptions"
        ></bit-multi-select>
-        <bit-hint *ngIf="readOnlyCollections.length > 0" data-testid="view-only-hint">
-          {{ "cannotRemoveViewOnlyCollections" | i18n: readOnlyCollections.join(", ") }}
+        <bit-hint *ngIf="readOnlyCollectionsNames.length > 0" data-testid="view-only-hint">
+          {{ "cannotRemoveViewOnlyCollections" | i18n: readOnlyCollectionsNames.join(", ") }}
        </bit-hint>
      </bit-form-field>
    </ng-container>
--- a/libs/vault/src/cipher-form/components/item-details/item-details-section.component.spec.ts
+++ b/libs/vault/src/cipher-form/components/item-details/item-details-section.component.spec.ts
@@ -17,6 +17,29 @@ import { CipherFormContainer } from "../../cipher-form-container";

 import { ItemDetailsSectionComponent } from "./item-details-section.component";

+const createMockCollection = (
+  id: string,
+  name: string,
+  organizationId: string,
+  readOnly = false,
+  canEdit = true,
+) => {
+  return {
+    id,
+    name,
+    organizationId,
+    externalId: "",
+    readOnly,
+    hidePasswords: false,
+    manage: true,
+    assigned: true,
+    canEditItems: jest.fn().mockReturnValue(canEdit),
+    canEdit: jest.fn(),
+    canDelete: jest.fn(),
+    canViewCollectionInfo: jest.fn(),
+  };
+};
+
 describe("ItemDetailsSectionComponent", () => {
  let component: ItemDetailsSectionComponent;
  let fixture: ComponentFixture<ItemDetailsSectionComponent>;
@@ -94,13 +117,7 @@ describe("ItemDetailsSectionComponent", () => {
      component.config.allowPersonalOwnership = true;
      component.config.organizations = [{ id: "org1" } as Organization];
      component.config.collections = [
-        {
-          id: "col1",
-          name: "Collection 1",
-          organizationId: "org1",
-          assigned: true,
-          readOnly: false,
-        } as CollectionView,
+        createMockCollection("col1", "Collection 1", "org1") as CollectionView,
      ];

      getInitialCipherView.mockReturnValueOnce({
@@ -343,8 +360,8 @@ describe("ItemDetailsSectionComponent", () => {
      component.config.allowPersonalOwnership = true;
      component.config.organizations = [{ id: "org1" } as Organization];
      component.config.collections = [
-        { id: "col1", name: "Collection 1", organizationId: "org1" } as CollectionView,
-        { id: "col2", name: "Collection 2", organizationId: "org1" } as CollectionView,
+        createMockCollection("col1", "Collection 1", "org1") as CollectionView,
+        createMockCollection("col2", "Collection 2", "org1") as CollectionView,
      ];

      fixture.detectChanges();
@@ -374,27 +391,9 @@ describe("ItemDetailsSectionComponent", () => {
      });
      component.config.organizations = [{ id: "org1" } as Organization];
      component.config.collections = [
-        {
-          id: "col1",
-          name: "Collection 1",
-          organizationId: "org1",
-          assigned: true,
-          readOnly: false,
-        } as CollectionView,
-        {
-          id: "col2",
-          name: "Collection 2",
-          organizationId: "org1",
-          assigned: true,
-          readOnly: false,
-        } as CollectionView,
-        {
-          id: "col3",
-          name: "Collection 3",
-          organizationId: "org1",
-          assigned: true,
-          readOnly: false,
-        } as CollectionView,
+        createMockCollection("col1", "Collection 1", "org1") as CollectionView,
+        createMockCollection("col2", "Collection 2", "org1") as CollectionView,
+        createMockCollection("col3", "Collection 3", "org1") as CollectionView,
      ];

      fixture.detectChanges();
@@ -412,13 +411,7 @@ describe("ItemDetailsSectionComponent", () => {
      component.config.allowPersonalOwnership = true;
      component.config.organizations = [{ id: "org1" } as Organization];
      component.config.collections = [
-        {
-          id: "col1",
-          name: "Collection 1",
-          organizationId: "org1",
-          assigned: true,
-          readOnly: false,
-        } as CollectionView,
+        createMockCollection("col1", "Collection 1", "org1") as CollectionView,
      ];

      fixture.detectChanges();
@@ -452,27 +445,9 @@ describe("ItemDetailsSectionComponent", () => {
      } as CipherView;
      component.config.organizations = [{ id: "org1" } as Organization];
      component.config.collections = [
-        {
-          id: "col1",
-          name: "Collection 1",
-          organizationId: "org1",
-          assigned: true,
-          readOnly: false,
-        } as CollectionView,
-        {
-          id: "col2",
-          name: "Collection 2",
-          organizationId: "org1",
-          assigned: true,
-          readOnly: false,
-        } as CollectionView,
-        {
-          id: "col3",
-          name: "Collection 3",
-          organizationId: "org1",
-          readOnly: true,
-          assigned: true,
-        } as CollectionView,
+        createMockCollection("col1", "Collection 1", "org1", true, false) as CollectionView,
+        createMockCollection("col2", "Collection 2", "org1", true, false) as CollectionView,
+        createMockCollection("col3", "Collection 3", "org1", true) as CollectionView,
      ];

      await component.ngOnInit();
@@ -490,27 +465,9 @@ describe("ItemDetailsSectionComponent", () => {
      component.config.allowPersonalOwnership = true;
      component.config.organizations = [{ id: "org1" } as Organization];
      component.config.collections = [
-        {
-          id: "col1",
-          name: "Collection 1",
-          organizationId: "org1",
-          readOnly: true,
-          assigned: false,
-        } as CollectionView,
-        {
-          id: "col2",
-          name: "Collection 2",
-          organizationId: "org1",
-          readOnly: true,
-          assigned: false,
-        } as CollectionView,
-        {
-          id: "col3",
-          name: "Collection 3",
-          organizationId: "org1",
-          readOnly: false,
-          assigned: true,
-        } as CollectionView,
+        createMockCollection("col1", "Collection 1", "org1", true, false) as CollectionView,
+        createMockCollection("col2", "Collection 2", "org1", true, false) as CollectionView,
+        createMockCollection("col3", "Collection 3", "org1", false, false) as CollectionView,
      ];

      fixture.detectChanges();
@@ -527,26 +484,9 @@ describe("ItemDetailsSectionComponent", () => {
      component.config.mode = "edit";
      component.config.admin = true;
      component.config.collections = [
-        {
-          id: "col1",
-          name: "Collection 1",
-          organizationId: "org1",
-          readOnly: true,
-          assigned: false,
-        } as CollectionView,
-        {
-          id: "col2",
-          name: "Collection 2",
-          organizationId: "org1",
-          assigned: false,
-        } as CollectionView,
-        {
-          id: "col3",
-          name: "Collection 3",
-          organizationId: "org1",
-          readOnly: true,
-          assigned: false,
-        } as CollectionView,
+        createMockCollection("col1", "Collection 1", "org1", true, false) as CollectionView,
+        createMockCollection("col2", "Collection 2", "org1", false, true) as CollectionView,
+        createMockCollection("col3", "Collection 3", "org1", true, false) as CollectionView,
      ];
      component.originalCipherView = {
        name: "cipher1",
@@ -562,6 +502,7 @@ describe("ItemDetailsSectionComponent", () => {
    });

    it("should not show collections as readonly when `config.admin` is true", async () => {
+      component.config.isAdminConsole = true;
      await component.ngOnInit();
      fixture.detectChanges();

@@ -573,8 +514,7 @@ describe("ItemDetailsSectionComponent", () => {

      await component.ngOnInit();
      fixture.detectChanges();
-
-      expect(component["readOnlyCollections"]).toEqual(["Collection 1", "Collection 3"]);
+      expect(component["readOnlyCollectionsNames"]).toEqual(["Collection 1", "Collection 3"]);
    });
  });
 });
--- a/libs/vault/src/cipher-form/components/item-details/item-details-section.component.ts
+++ b/libs/vault/src/cipher-form/components/item-details/item-details-section.component.ts
@@ -1,6 +1,6 @@
 // FIXME: Update this file to be type safe and remove this and next line
 // @ts-strict-ignore
-import { CommonModule, NgClass } from "@angular/common";
+import { CommonModule } from "@angular/common";
 import { Component, DestroyRef, Input, OnInit } from "@angular/core";
 import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
 import { FormBuilder, FormControl, ReactiveFormsModule, Validators } from "@angular/forms";
@@ -8,6 +8,7 @@ import { concatMap, map } from "rxjs";

 import { CollectionView } from "@bitwarden/admin-console/common";
 import { JslibModule } from "@bitwarden/angular/jslib.module";
+import { OrganizationUserType } from "@bitwarden/common/admin-console/enums";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -43,7 +44,6 @@ import { CipherFormContainer } from "../../cipher-form-container";
    SelectModule,
    SectionHeaderComponent,
    IconButtonModule,
-    NgClass,
    JslibModule,
    CommonModule,
  ],
@@ -67,7 +67,7 @@ export class ItemDetailsSectionComponent implements OnInit {
   * Collections that are already assigned to the cipher and are read-only. These cannot be removed.
   * @protected
   */
-  protected readOnlyCollections: string[] = [];
+  protected readOnlyCollections: CollectionView[] = [];

  protected showCollectionsControl: boolean;

@@ -79,6 +79,10 @@ export class ItemDetailsSectionComponent implements OnInit {

  @Input()
  originalCipherView: CipherView;
+
+  get readOnlyCollectionsNames(): string[] {
+    return this.readOnlyCollections.map((c) => c.name);
+  }
  /**
   * Whether the form is in partial edit mode. Only the folder and favorite controls are available.
   */
@@ -133,7 +137,10 @@ export class ItemDetailsSectionComponent implements OnInit {
            name: value.name,
            organizationId: value.organizationId,
            folderId: value.folderId,
-            collectionIds: value.collectionIds?.map((c) => c.id) || [],
+            collectionIds: [
+              ...(value.collectionIds?.map((c) => c.id) || []),
+              ...this.readOnlyCollections.map((c) => c.id),
+            ],
            favorite: value.favorite,
          } as CipherView);
          return cipher;
@@ -223,6 +230,8 @@ export class ItemDetailsSectionComponent implements OnInit {
      favorite: prefillCipher.favorite,
    });

+    const orgId = this.itemDetailsForm.controls.organizationId.value as OrganizationId;
+    const organization = this.organizations.find((o) => o.id === orgId);
    const initializedWithCachedCipher = this.cipherFormContainer.initializedWithCachedCipher();

    // Configure form for clone mode.
@@ -244,20 +253,36 @@ export class ItemDetailsSectionComponent implements OnInit {

    await this.updateCollectionOptions(prefillCollections);

+    if (!organization?.canEditAllCiphers && !prefillCipher.canAssignToCollections) {
+      this.itemDetailsForm.controls.collectionIds.disable();
+    }
+
    if (this.partialEdit) {
      this.itemDetailsForm.disable();
      this.itemDetailsForm.controls.favorite.enable();
      this.itemDetailsForm.controls.folderId.enable();
    } else if (this.config.mode === "edit") {
-      this.readOnlyCollections = this.collections
-        .filter(
+      if (!this.config.isAdminConsole || !this.config.admin) {
+        this.readOnlyCollections = this.collections.filter(
          // When the configuration is set up for admins, they can alter read only collections
          (c) =>
+            c.organizationId === orgId &&
            c.readOnly &&
-            !this.config.admin &&
            this.originalCipherView.collectionIds.includes(c.id as CollectionId),
-        )
-        .map((c) => c.name);
+        );
+
+        // When Owners/Admins access setting is turned on.
+        // Disable Collections Options if Owner/Admin does not have Edit/Manage permissions on item
+        // Disable Collections Options if Custom user does not have Edit/Manage permissions on item
+        if (
+          (organization.allowAdminAccessToAllCollectionItems &&
+            (!this.originalCipherView.viewPassword || !this.originalCipherView.edit)) ||
+          (organization.type === OrganizationUserType.Custom &&
+            !this.originalCipherView.viewPassword)
+        ) {
+          this.itemDetailsForm.controls.collectionIds.disable();
+        }
+      }
    }
  }

--- a/libs/vault/src/components/assign-collections.component.ts
+++ b/libs/vault/src/components/assign-collections.component.ts
@@ -206,7 +206,7 @@ export class AssignCollectionsComponent implements OnInit, OnDestroy, AfterViewI
    await this.initializeItems(this.selectedOrgId);

    if (this.selectedOrgId && this.selectedOrgId !== MY_VAULT_ID) {
-      await this.handleOrganizationCiphers();
+      await this.handleOrganizationCiphers(this.selectedOrgId);
    }

    this.setupFormSubscriptions();
@@ -283,7 +283,7 @@ export class AssignCollectionsComponent implements OnInit, OnDestroy, AfterViewI
  private sortItems = (a: SelectItemView, b: SelectItemView) =>
    this.i18nService.collator.compare(a.labelName, b.labelName);

-  private async handleOrganizationCiphers() {
+  private async handleOrganizationCiphers(organizationId: OrganizationId) {
    // If no ciphers are editable, cancel the operation
    if (this.editableItemCount == 0) {
      this.toastService.showToast({
@@ -296,12 +296,21 @@ export class AssignCollectionsComponent implements OnInit, OnDestroy, AfterViewI
      return;
    }

-    this.availableCollections = this.params.availableCollections.map((c) => ({
-      icon: "bwi-collection",
-      id: c.id,
-      labelName: c.name,
-      listName: c.name,
-    }));
+    const userId = await firstValueFrom(getUserId(this.accountService.activeAccount$));
+    const org = await firstValueFrom(
+      this.organizationService.organizations$(userId).pipe(getOrganizationById(organizationId)),
+    );
+
+    this.availableCollections = this.params.availableCollections
+      .filter((collection) => {
+        return collection.canEditItems(org);
+      })
+      .map((c) => ({
+        icon: "bwi-collection",
+        id: c.id,
+        labelName: c.name,
+        listName: c.name,
+      }));

    // Select assigned collections for a single cipher.
    this.selectCollectionsAssignedToSingleCipher();