From 407368b3ea0ba3774c0e73d20af6599c1913d2cd Mon Sep 17 00:00:00 2001
From: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Date: Thu, 27 Feb 2025 20:55:24 +0100
Subject: [PATCH] [PM-18706] Added permission check for organizational inactive
 2fa report (#13610)

* Added permission check for organizational inactive 2fa report

Only display the cipher's name if the user running the report does not have permissions to view/edit the cipher

* Add appropiate access modifiers to newly added members/methods

---------

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
---
 .../inactive-two-factor-report.component.html | 21 ++++++++++++-------
 .../inactive-two-factor-report.component.ts   | 11 ++++++++++
 .../inactive-two-factor-report.component.ts   |  9 ++++++++
 3 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/apps/web/src/app/tools/reports/pages/inactive-two-factor-report.component.html b/apps/web/src/app/tools/reports/pages/inactive-two-factor-report.component.html
index 52bbb1c5e6d..e667a65235b 100644
--- a/apps/web/src/app/tools/reports/pages/inactive-two-factor-report.component.html
+++ b/apps/web/src/app/tools/reports/pages/inactive-two-factor-report.component.html
@@ -47,14 +47,19 @@
                 <app-vault-icon [cipher]="r"></app-vault-icon>
               </td>
               <td bitCell>
-                <a
-                  bitLink
-                  href="#"
-                  appStopClick
-                  (click)="selectCipher(r)"
-                  title="{{ 'editItemWithName' | i18n: r.name }}"
-                  >{{ r.name }}</a
-                >
+                <ng-container *ngIf="!organization || canManageCipher(r); else cantManage">
+                  <a
+                    bitLink
+                    href="#"
+                    appStopClick
+                    (click)="selectCipher(r)"
+                    title="{{ 'editItemWithName' | i18n: r.name }}"
+                    >{{ r.name }}</a
+                  >
+                </ng-container>
+                <ng-template #cantManage>
+                  <span>{{ r.name }}</span>
+                </ng-template>
                 <ng-container *ngIf="!organization && r.organizationId">
                   <i
                     class="bwi bwi-collection"
diff --git a/apps/web/src/app/tools/reports/pages/inactive-two-factor-report.component.ts b/apps/web/src/app/tools/reports/pages/inactive-two-factor-report.component.ts
index 819be73b8be..5265326128e 100644
--- a/apps/web/src/app/tools/reports/pages/inactive-two-factor-report.component.ts
+++ b/apps/web/src/app/tools/reports/pages/inactive-two-factor-report.component.ts
@@ -130,4 +130,15 @@ export class InactiveTwoFactorReportComponent extends CipherReportComponent impl
       this.services.set(serviceData.domain, serviceData.documentation);
     }
   }
+
+  /**
+   * Provides a way to determine if someone with permissions to run an organizational report is also able to view/edit ciphers within the results
+   * Default to true for indivduals running reports on their own vault.
+   * @param c CipherView
+   * @returns boolean
+   */
+  protected canManageCipher(c: CipherView): boolean {
+    // this will only ever be false from the org view;
+    return true;
+  }
 }
diff --git a/apps/web/src/app/tools/reports/pages/organizations/inactive-two-factor-report.component.ts b/apps/web/src/app/tools/reports/pages/organizations/inactive-two-factor-report.component.ts
index 8a2fc333c64..5979e99c0fa 100644
--- a/apps/web/src/app/tools/reports/pages/organizations/inactive-two-factor-report.component.ts
+++ b/apps/web/src/app/tools/reports/pages/organizations/inactive-two-factor-report.component.ts
@@ -13,6 +13,7 @@ import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.servic
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
+import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { DialogService } from "@bitwarden/components";
 import { CipherFormConfigService, PasswordRepromptService } from "@bitwarden/vault";
@@ -41,6 +42,9 @@ export class InactiveTwoFactorReportComponent
   extends BaseInactiveTwoFactorReportComponent
   implements OnInit
 {
+  // Contains a list of ciphers, the user running the report, can manage
+  private manageableCiphers: Cipher[];
+
   constructor(
     cipherService: CipherService,
     dialogService: DialogService,
@@ -80,6 +84,7 @@ export class InactiveTwoFactorReportComponent
           .organizations$(userId)
           .pipe(getOrganizationById(params.organizationId)),
       );
+      this.manageableCiphers = await this.cipherService.getAll(userId);
       await super.ngOnInit();
     });
   }
@@ -87,4 +92,8 @@ export class InactiveTwoFactorReportComponent
   getAllCiphers(): Promise<CipherView[]> {
     return this.cipherService.getAllFromApiForOrganization(this.organization.id);
   }
+
+  protected canManageCipher(c: CipherView): boolean {
+    return this.manageableCiphers.some((x) => x.id === c.id);
+  }
 }