[PM-12281] [PM-12301] [PM-12306] [PM-12334] Move delete item permission to Can Manage (#11289)

* Added inputs to the view and edit component to disable or remove the delete button when a user does not have manage rights

* Refactored editByCipherId to receive cipherview object

* Fixed issue where adding an item on the individual vault throws a null reference

* Fixed issue where adding an item on the AC vault throws a null reference

* Allow delete in unassigned collection

* created reusable service to check if a user has delete permission on an item

* Registered service

* Used authorizationservice on the browser and desktop

Only display the delete button when a user has delete permission

* Added comments to the service

* Passed active collectionId to add edit component

renamed constructor parameter

* restored input property used by the web

* Fixed dependency issue

* Fixed dependency issue

* Fixed dependency issue

* Modified service to cater for org vault

* Updated to include new dependency

* Updated components to use the observable

* Added check on the cli to know if user has rights to delete an item

* Renamed abstraction and renamed implementation to include Default

Fixed permission issues

* Fixed test to reflect changes in implementation

* Modified base classes to use new naming

Passed new parameters for the canDeleteCipher

* Modified base classes to use new naming

Made changes from base class

* Desktop changes

Updated reference naming

* cli changes

Updated reference naming

Passed new parameters for the canDeleteCipher$

* Updated references

* browser changes

Updated reference naming

Passed new parameters for the canDeleteCipher$

* Modified cipher form dialog to take in active collection id

used canDeleteCipher$ on the vault item dialog to disable the delete button when user does not have the required permissions

* Fix number of arguments issue

* Added active collection id

* Updated canDeleteCipher$ arguments

* Updated to pass the cipher object

* Fixed up refrences and comments

* Updated dependency

* updated check to canEditUnassignedCiphers

* Fixed unit tests

* Removed activeCollectionId from cipher form

* Fixed issue where bulk delete option shows for can edit users

* Fix null reference when checking if a cipher belongs to the unassigned collection

* Fixed bug where allowedCollection passed is undefined

* Modified cipher by adding a isAdminConsoleAction argument to tell when a reuqest comes from the admin console

* Passed isAdminConsoleAction as true when request is from the admin console

apps/cli/src/oss-serve-configurator.ts

@@ -113,6 +113,7 @@ export class OssServeConfigurator {
       this.serviceContainer.apiService,
       this.serviceContainer.folderApiService,
       this.serviceContainer.billingAccountProfileStateService,
+      this.serviceContainer.cipherAuthorizationService,
     );
     this.confirmCommand = new ConfirmCommand(
       this.serviceContainer.apiService,

apps/cli/src/service-container/service-container.ts

@@ -129,6 +129,10 @@ import { SendStateProvider } from "@bitwarden/common/tools/send/services/send-st
 import { SendService } from "@bitwarden/common/tools/send/services/send.service";
 import { VaultTimeoutStringType } from "@bitwarden/common/types/vault-timeout.type";
 import { InternalFolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
+import {
+  CipherAuthorizationService,
+  DefaultCipherAuthorizationService,
+} from "@bitwarden/common/vault/services/cipher-authorization.service";
 import { CipherService } from "@bitwarden/common/vault/services/cipher.service";
 import { CipherFileUploadService } from "@bitwarden/common/vault/services/file-upload/cipher-file-upload.service";
 import { FolderApiService } from "@bitwarden/common/vault/services/folder/folder-api.service";
@@ -255,6 +259,7 @@ export class ServiceContainer {
   kdfConfigService: KdfConfigServiceAbstraction;
   taskSchedulerService: TaskSchedulerService;
   sdkService: SdkService;
+  cipherAuthorizationService: CipherAuthorizationService;
 
   constructor() {
     let p = null;
@@ -805,6 +810,11 @@ export class ServiceContainer {
       this.apiService,
       this.configService,
     );
+
+    this.cipherAuthorizationService = new DefaultCipherAuthorizationService(
+      this.collectionService,
+      this.organizationService,
+    );
   }
 
   async logout() {

apps/cli/src/vault.program.ts

@@ -319,6 +319,7 @@ export class VaultProgram extends BaseProgram {
           this.serviceContainer.apiService,
           this.serviceContainer.folderApiService,
           this.serviceContainer.billingAccountProfileStateService,
+          this.serviceContainer.cipherAuthorizationService,
         );
         const response = await command.run(object, id, cmd);
         this.processResponse(response);

apps/cli/src/vault/delete.command.ts

@@ -6,6 +6,7 @@ import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { FolderApiServiceAbstraction } from "@bitwarden/common/vault/abstractions/folder/folder-api.service.abstraction";
 import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
+import { CipherAuthorizationService } from "@bitwarden/common/vault/services/cipher-authorization.service";
 
 import { Response } from "../models/response";
 import { CliUtils } from "../utils";
@@ -17,6 +18,7 @@ export class DeleteCommand {
     private apiService: ApiService,
     private folderApiService: FolderApiServiceAbstraction,
     private accountProfileService: BillingAccountProfileStateService,
+    private cipherAuthorizationService: CipherAuthorizationService,
   ) {}
 
   async run(object: string, id: string, cmdOptions: Record<string, any>): Promise<Response> {
@@ -45,6 +47,14 @@ export class DeleteCommand {
       return Response.notFound();
     }
 
+    const canDeleteCipher = await firstValueFrom(
+      this.cipherAuthorizationService.canDeleteCipher$(cipher),
+    );
+
+    if (!canDeleteCipher) {
+      return Response.error("You do not have permission to delete this item.");
+    }
+
     try {
       if (options.permanent) {
         await this.cipherService.deleteWithServer(id);