[AC-2320] Update canEditAnyCollection logic for Flexible Collections v1 (#8394)

* also update calling locations to use canEditAllCiphers where applicable
2025-12-15 07:43:35 +00:00 · 2024-04-04 13:48:41 +10:00
parent 678ba04781
commit 32981ce30d
13 changed files with 140 additions and 44 deletions
--- a/libs/angular/src/vault/components/add-edit.component.ts
+++ b/libs/angular/src/vault/components/add-edit.component.ts
@@ -662,7 +662,7 @@ export class AddEditComponent implements OnInit, OnDestroy {

    // if a cipher is unassigned we want to check if they are an admin or have permission to edit any collection
    if (!cipher.collectionIds) {
-      orgAdmin = this.organization?.canEditAnyCollection;
+      orgAdmin = this.organization?.canEditAllCiphers(this.flexibleCollectionsV1Enabled);
    }

    return this.cipher.id == null
@@ -671,14 +671,14 @@ export class AddEditComponent implements OnInit, OnDestroy {
  }

  protected deleteCipher() {
-    const asAdmin = this.organization?.canEditAnyCollection;
+    const asAdmin = this.organization?.canEditAllCiphers(this.flexibleCollectionsV1Enabled);
    return this.cipher.isDeleted
      ? this.cipherService.deleteWithServer(this.cipher.id, asAdmin)
      : this.cipherService.softDeleteWithServer(this.cipher.id, asAdmin);
  }

  protected restoreCipher() {
-    const asAdmin = this.organization?.canEditAnyCollection;
+    const asAdmin = this.organization?.canEditAllCiphers(this.flexibleCollectionsV1Enabled);
    return this.cipherService.restoreWithServer(this.cipher.id, asAdmin);
  }

--- a/libs/common/src/admin-console/models/domain/organization.ts
+++ b/libs/common/src/admin-console/models/domain/organization.ts
@@ -188,18 +188,29 @@ export class Organization {
    return this.isManager || this.permissions.createNewCollections;
  }

-  get canEditAnyCollection() {
-    return this.isAdmin || this.permissions.editAnyCollection;
+  canEditAnyCollection(flexibleCollectionsV1Enabled: boolean) {
+    if (!this.flexibleCollections || !flexibleCollectionsV1Enabled) {
+      // Pre-Flexible Collections v1 logic
+      return this.isAdmin || this.permissions.editAnyCollection;
+    }
+
+    // Post Flexible Collections V1, the allowAdminAccessToAllCollectionItems flag can restrict admins
+    // Providers and custom users with canEditAnyCollection are not affected by allowAdminAccessToAllCollectionItems flag
+    return (
+      this.isProviderUser ||
+      (this.type === OrganizationUserType.Custom && this.permissions.editAnyCollection) ||
+      (this.allowAdminAccessToAllCollectionItems && this.isAdmin)
+    );
  }

-  get canUseAdminCollections() {
-    return this.canEditAnyCollection;
+  canUseAdminCollections(flexibleCollectionsV1Enabled: boolean) {
+    return this.canEditAnyCollection(flexibleCollectionsV1Enabled);
  }

  canEditAllCiphers(flexibleCollectionsV1Enabled: boolean) {
-    // Before Flexible Collections, anyone with editAnyCollection permission could edit all ciphers
-    if (!flexibleCollectionsV1Enabled) {
-      return this.canEditAnyCollection;
+    // Before Flexible Collections, any admin or anyone with editAnyCollection permission could edit all ciphers
+    if (!this.flexibleCollections || !flexibleCollectionsV1Enabled) {
+      return this.isAdmin || this.permissions.editAnyCollection;
    }
    // Post Flexible Collections V1, the allowAdminAccessToAllCollectionItems flag can restrict admins
    // Providers and custom users with canEditAnyCollection are not affected by allowAdminAccessToAllCollectionItems flag
@@ -214,8 +225,13 @@ export class Organization {
    return this.isAdmin || this.permissions.deleteAnyCollection;
  }

+  /**
+   * Whether the user can view all collection information, such as collection name and access.
+   * This does not indicate that the user can view items inside any collection - for that, see {@link canEditAllCiphers}
+   */
  get canViewAllCollections() {
-    return this.canEditAnyCollection || this.canDeleteAnyCollection;
+    // Admins can always see all collections even if collection management settings prevent them from editing them or seeing items
+    return this.isAdmin || this.permissions.editAnyCollection || this.canDeleteAnyCollection;
  }

  /**
--- a/libs/common/src/vault/models/view/collection.view.ts
+++ b/libs/common/src/vault/models/view/collection.view.ts
@@ -53,11 +53,11 @@ export class CollectionView implements View, ITreeNodeObject {
      );
    }

-    return org?.canEditAnyCollection || (org?.canEditAssignedCollections && this.assigned);
+    return org?.canEditAnyCollection(false) || (org?.canEditAssignedCollections && this.assigned);
  }

  // For editing collection details, not the items within it.
-  canEdit(org: Organization): boolean {
+  canEdit(org: Organization, flexibleCollectionsV1Enabled: boolean): boolean {
    if (org != null && org.id !== this.organizationId) {
      throw new Error(
        "Id of the organization provided does not match the org id of the collection.",
@@ -65,8 +65,8 @@ export class CollectionView implements View, ITreeNodeObject {
    }

    return org?.flexibleCollections
-      ? org?.canEditAnyCollection || this.manage
-      : org?.canEditAnyCollection || org?.canEditAssignedCollections;
+      ? org?.canEditAnyCollection(flexibleCollectionsV1Enabled) || this.manage
+      : org?.canEditAnyCollection(flexibleCollectionsV1Enabled) || org?.canEditAssignedCollections;
  }

  // For deleting a collection, not the items within it.