From 43a6a93944367afc1d26f85d0920d9288fe70bad Mon Sep 17 00:00:00 2001
From: Jordan Aasen <166539328+jaasen-livefront@users.noreply.github.com>
Date: Fri, 17 Jan 2025 15:04:06 -0800
Subject: [PATCH] don't allow 'except password' permissions to view or copy
 hidden fields (#12899)

---
 .../components/custom-fields/custom-fields.component.ts       | 4 ++++
 .../cipher-view/custom-fields/custom-fields-v2.component.html | 2 ++
 .../cipher-view/custom-fields/custom-fields-v2.component.ts   | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/libs/vault/src/cipher-form/components/custom-fields/custom-fields.component.ts b/libs/vault/src/cipher-form/components/custom-fields/custom-fields.component.ts
index d723bad575..cd75fe8fba 100644
--- a/libs/vault/src/cipher-form/components/custom-fields/custom-fields.component.ts
+++ b/libs/vault/src/cipher-form/components/custom-fields/custom-fields.component.ts
@@ -167,6 +167,10 @@ export class CustomFieldsComponent implements OnInit, AfterViewInit {
       );
     });
 
+    if (!this.cipherFormContainer.originalCipherView?.viewPassword) {
+      this.customFieldsForm.disable();
+    }
+
     // Disable the form if in partial-edit mode
     // Must happen after the initial fields are populated
     if (this.cipherFormContainer.config.mode === "partial-edit") {
diff --git a/libs/vault/src/cipher-view/custom-fields/custom-fields-v2.component.html b/libs/vault/src/cipher-view/custom-fields/custom-fields-v2.component.html
index 45ddc3c1de..ab31ede57b 100644
--- a/libs/vault/src/cipher-view/custom-fields/custom-fields-v2.component.html
+++ b/libs/vault/src/cipher-view/custom-fields/custom-fields-v2.component.html
@@ -38,6 +38,7 @@
           type="button"
           bitIconButton
           bitPasswordInputToggle
+          *ngIf="canViewPassword"
           (toggledChange)="logHiddenEvent($event)"
         ></button>
         <button
@@ -47,6 +48,7 @@
           [appCopyClick]="field.value"
           showToast
           [valueLabel]="field.name"
+          *ngIf="canViewPassword"
           [appA11yTitle]="'copyCustomField' | i18n: field.name"
           (click)="logCopyEvent()"
         ></button>
diff --git a/libs/vault/src/cipher-view/custom-fields/custom-fields-v2.component.ts b/libs/vault/src/cipher-view/custom-fields/custom-fields-v2.component.ts
index b41b351e19..313607ce3a 100644
--- a/libs/vault/src/cipher-view/custom-fields/custom-fields-v2.component.ts
+++ b/libs/vault/src/cipher-view/custom-fields/custom-fields-v2.component.ts
@@ -59,6 +59,10 @@ export class CustomFieldV2Component implements OnInit {
     return this.i18nService.t(linkedType.i18nKey);
   }
 
+  get canViewPassword() {
+    return this.cipher.viewPassword;
+  }
+
   async logHiddenEvent(hiddenFieldVisible: boolean) {
     if (hiddenFieldVisible) {
       await this.eventCollectionService.collect(