[AC-2320] Update canEditAnyCollection logic for Flexible Collections v1 (#8394)

* also update calling locations to use canEditAllCiphers where applicable
2025-12-11 22:03:36 +00:00 · 2024-04-04 13:48:41 +10:00
parent 678ba04781
commit 32981ce30d
13 changed files with 140 additions and 44 deletions
--- a/libs/common/src/admin-console/models/domain/organization.ts
+++ b/libs/common/src/admin-console/models/domain/organization.ts
@@ -188,18 +188,29 @@ export class Organization {
    return this.isManager || this.permissions.createNewCollections;
  }

-  get canEditAnyCollection() {
-    return this.isAdmin || this.permissions.editAnyCollection;
+  canEditAnyCollection(flexibleCollectionsV1Enabled: boolean) {
+    if (!this.flexibleCollections || !flexibleCollectionsV1Enabled) {
+      // Pre-Flexible Collections v1 logic
+      return this.isAdmin || this.permissions.editAnyCollection;
+    }
+
+    // Post Flexible Collections V1, the allowAdminAccessToAllCollectionItems flag can restrict admins
+    // Providers and custom users with canEditAnyCollection are not affected by allowAdminAccessToAllCollectionItems flag
+    return (
+      this.isProviderUser ||
+      (this.type === OrganizationUserType.Custom && this.permissions.editAnyCollection) ||
+      (this.allowAdminAccessToAllCollectionItems && this.isAdmin)
+    );
  }

-  get canUseAdminCollections() {
-    return this.canEditAnyCollection;
+  canUseAdminCollections(flexibleCollectionsV1Enabled: boolean) {
+    return this.canEditAnyCollection(flexibleCollectionsV1Enabled);
  }

  canEditAllCiphers(flexibleCollectionsV1Enabled: boolean) {
-    // Before Flexible Collections, anyone with editAnyCollection permission could edit all ciphers
-    if (!flexibleCollectionsV1Enabled) {
-      return this.canEditAnyCollection;
+    // Before Flexible Collections, any admin or anyone with editAnyCollection permission could edit all ciphers
+    if (!this.flexibleCollections || !flexibleCollectionsV1Enabled) {
+      return this.isAdmin || this.permissions.editAnyCollection;
    }
    // Post Flexible Collections V1, the allowAdminAccessToAllCollectionItems flag can restrict admins
    // Providers and custom users with canEditAnyCollection are not affected by allowAdminAccessToAllCollectionItems flag
@@ -214,8 +225,13 @@ export class Organization {
    return this.isAdmin || this.permissions.deleteAnyCollection;
  }

+  /**
+   * Whether the user can view all collection information, such as collection name and access.
+   * This does not indicate that the user can view items inside any collection - for that, see {@link canEditAllCiphers}
+   */
  get canViewAllCollections() {
-    return this.canEditAnyCollection || this.canDeleteAnyCollection;
+    // Admins can always see all collections even if collection management settings prevent them from editing them or seeing items
+    return this.isAdmin || this.permissions.editAnyCollection || this.canDeleteAnyCollection;
  }

  /**