[PM-18706] Added permission check for organizational inactive 2fa report (#13610)

* Added permission check for organizational inactive 2fa report

Only display the cipher's name if the user running the report does not have permissions to view/edit the cipher

* Add appropiate access modifiers to newly added members/methods

---------

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>

apps/web/src/app/tools/reports/pages/inactive-two-factor-report.component.html

@@ -47,14 +47,19 @@
                 <app-vault-icon [cipher]="r"></app-vault-icon>
               </td>
               <td bitCell>
-                <a
+                <ng-container *ngIf="!organization || canManageCipher(r); else cantManage">
-                  bitLink
+                  <a
-                  href="#"
+                    bitLink
-                  appStopClick
+                    href="#"
-                  (click)="selectCipher(r)"
+                    appStopClick
-                  title="{{ 'editItemWithName' | i18n: r.name }}"
+                    (click)="selectCipher(r)"
-                  >{{ r.name }}</a
+                    title="{{ 'editItemWithName' | i18n: r.name }}"
-                >
+                    >{{ r.name }}</a
+                  >
+                </ng-container>
+                <ng-template #cantManage>
+                  <span>{{ r.name }}</span>
+                </ng-template>
                 <ng-container *ngIf="!organization && r.organizationId">
                   <i
                     class="bwi bwi-collection"

apps/web/src/app/tools/reports/pages/inactive-two-factor-report.component.ts

@@ -130,4 +130,15 @@ export class InactiveTwoFactorReportComponent extends CipherReportComponent impl
       this.services.set(serviceData.domain, serviceData.documentation);
     }
   }
+
+  /**
+   * Provides a way to determine if someone with permissions to run an organizational report is also able to view/edit ciphers within the results
+   * Default to true for indivduals running reports on their own vault.
+   * @param c CipherView
+   * @returns boolean
+   */
+  protected canManageCipher(c: CipherView): boolean {
+    // this will only ever be false from the org view;
+    return true;
+  }
 }

apps/web/src/app/tools/reports/pages/organizations/inactive-two-factor-report.component.ts

@@ -13,6 +13,7 @@ import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.servic
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
+import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { DialogService } from "@bitwarden/components";
 import { CipherFormConfigService, PasswordRepromptService } from "@bitwarden/vault";
@@ -41,6 +42,9 @@ export class InactiveTwoFactorReportComponent
   extends BaseInactiveTwoFactorReportComponent
   implements OnInit
 {
+  // Contains a list of ciphers, the user running the report, can manage
+  private manageableCiphers: Cipher[];
+
   constructor(
     cipherService: CipherService,
     dialogService: DialogService,
@@ -80,6 +84,7 @@ export class InactiveTwoFactorReportComponent
           .organizations$(userId)
           .pipe(getOrganizationById(params.organizationId)),
       );
+      this.manageableCiphers = await this.cipherService.getAll(userId);
       await super.ngOnInit();
     });
   }
@@ -87,4 +92,8 @@ export class InactiveTwoFactorReportComponent
   getAllCiphers(): Promise<CipherView[]> {
     return this.cipherService.getAllFromApiForOrganization(this.organization.id);
   }
+
+  protected canManageCipher(c: CipherView): boolean {
+    return this.manageableCiphers.some((x) => x.id === c.id);
+  }
 }