[PM-12281] [PM-12301] [PM-12306] [PM-12334] Move delete item permission to Can Manage (#11289)

* Added inputs to the view and edit component to disable or remove the delete button when a user does not have manage rights

* Refactored editByCipherId to receive cipherview object

* Fixed issue where adding an item on the individual vault throws a null reference

* Fixed issue where adding an item on the AC vault throws a null reference

* Allow delete in unassigned collection

* created reusable service to check if a user has delete permission on an item

* Registered service

* Used authorizationservice on the browser and desktop

Only display the delete button when a user has delete permission

* Added comments to the service

* Passed active collectionId to add edit component

renamed constructor parameter

* restored input property used by the web

* Fixed dependency issue

* Fixed dependency issue

* Fixed dependency issue

* Modified service to cater for org vault

* Updated to include new dependency

* Updated components to use the observable

* Added check on the cli to know if user has rights to delete an item

* Renamed abstraction and renamed implementation to include Default

Fixed permission issues

* Fixed test to reflect changes in implementation

* Modified base classes to use new naming

Passed new parameters for the canDeleteCipher

* Modified base classes to use new naming

Made changes from base class

* Desktop changes

Updated reference naming

* cli changes

Updated reference naming

Passed new parameters for the canDeleteCipher$

* Updated references

* browser changes

Updated reference naming

Passed new parameters for the canDeleteCipher$

* Modified cipher form dialog to take in active collection id

used canDeleteCipher$ on the vault item dialog to disable the delete button when user does not have the required permissions

* Fix number of arguments issue

* Added active collection id

* Updated canDeleteCipher$ arguments

* Updated to pass the cipher object

* Fixed up refrences and comments

* Updated dependency

* updated check to canEditUnassignedCiphers

* Fixed unit tests

* Removed activeCollectionId from cipher form

* Fixed issue where bulk delete option shows for can edit users

* Fix null reference when checking if a cipher belongs to the unassigned collection

* Fixed bug where allowedCollection passed is undefined

* Modified cipher by adding a isAdminConsoleAction argument to tell when a reuqest comes from the admin console

* Passed isAdminConsoleAction as true when request is from the admin console

apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html

@@ -132,7 +132,7 @@
       <i class="bwi bwi-fw bwi-undo" aria-hidden="true"></i>
       {{ "restore" | i18n }}
     </button>
-    <button bitMenuItem *ngIf="canEditCipher" (click)="deleteCipher()" type="button">
+    <button bitMenuItem *ngIf="canManageCollection" (click)="deleteCipher()" type="button">
       <span class="tw-text-danger">
         <i class="bwi bwi-fw bwi-trash" aria-hidden="true"></i>
         {{ (cipher.isDeleted ? "permanentlyDelete" : "delete") | i18n }}

apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts

@@ -35,6 +35,7 @@ export class VaultCipherRowComponent implements OnInit {
   @Input() collections: CollectionView[];
   @Input() viewingOrgVault: boolean;
   @Input() canEditCipher: boolean;
+  @Input() canManageCollection: boolean;
 
   @Output() onEvent = new EventEmitter<VaultItemEvent>();
 

apps/web/src/app/vault/components/vault-items/vault-items.component.html

@@ -64,12 +64,7 @@
               <i class="bwi bwi-fw bwi-undo" aria-hidden="true"></i>
               {{ "restoreSelected" | i18n }}
             </button>
-            <button
-              *ngIf="showDelete() || showBulkTrashOptions"
-              type="button"
-              bitMenuItem
-              (click)="bulkDelete()"
-            >
+            <button *ngIf="showDelete" type="button" bitMenuItem (click)="bulkDelete()">
               <span class="tw-text-danger">
                 <i class="bwi bwi-fw bwi-trash" aria-hidden="true"></i>
                 {{ (showBulkTrashOptions ? "permanentlyDeleteSelected" : "delete") | i18n }}
@@ -123,6 +118,7 @@
           [collections]="allCollections"
           [checked]="selection.isSelected(item)"
           [canEditCipher]="canEditCipher(item.cipher)"
+          [canManageCollection]="canManageCollection(item.cipher)"
           (checkedToggled)="selection.toggle(item)"
           (onEvent)="event($event)"
         ></tr>

apps/web/src/app/vault/components/vault-items/vault-items.component.ts

@@ -45,6 +45,7 @@ export class VaultItemsComponent {
   @Input() viewingOrgVault: boolean;
   @Input() addAccessStatus: number;
   @Input() addAccessToggle: boolean;
+  @Input() activeCollection: CollectionView | undefined;
 
   private _ciphers?: CipherView[] = [];
   @Input() get ciphers(): CipherView[] {
@@ -90,11 +91,39 @@ export class VaultItemsComponent {
     );
   }
 
+  get showDelete(): boolean {
+    if (this.selection.selected.length === 0) {
+      return true;
+    }
+
+    const hasPersonalItems = this.hasPersonalItems();
+    const uniqueCipherOrgIds = this.getUniqueOrganizationIds();
+
+    const canManageCollectionCiphers = this.selection.selected
+      .filter((item) => item.cipher)
+      .every(({ cipher }) => this.canManageCollection(cipher));
+
+    const canDeleteCollections = this.selection.selected
+      .filter((item) => item.collection)
+      .every((item) => item.collection && this.canDeleteCollection(item.collection));
+
+    const userCanDeleteAccess = canManageCollectionCiphers && canDeleteCollections;
+
+    if (
+      userCanDeleteAccess ||
+      (hasPersonalItems && (!uniqueCipherOrgIds.size || userCanDeleteAccess))
+    ) {
+      return true;
+    }
+
+    return false;
+  }
+
   get disableMenu() {
     return (
       !this.bulkMoveAllowed &&
       !this.showAssignToCollections() &&
-      !this.showDelete() &&
+      !this.showDelete &&
       !this.showBulkEditCollectionAccess
     );
   }
@@ -198,6 +227,37 @@ export class VaultItemsComponent {
     return (organization.canEditAllCiphers && this.viewingOrgVault) || cipher.edit;
   }
 
+  protected canManageCollection(cipher: CipherView) {
+    // If the cipher is not part of an organization (personal item), user can manage it
+    if (cipher.organizationId == null) {
+      return true;
+    }
+
+    // Check for admin access in AC vault
+    if (this.showAdminActions) {
+      const organization = this.allOrganizations.find((o) => o.id === cipher.organizationId);
+      // If the user is an admin, they can delete an unassigned cipher
+      if (cipher.collectionIds.length === 0) {
+        return organization?.canEditUnmanagedCollections === true;
+      }
+
+      if (
+        organization?.permissions.editAnyCollection ||
+        (organization?.allowAdminAccessToAllCollectionItems && organization.isAdmin)
+      ) {
+        return true;
+      }
+    }
+
+    if (this.activeCollection) {
+      return this.activeCollection.manage === true;
+    }
+
+    return this.allCollections
+      .filter((c) => cipher.collectionIds.includes(c.id))
+      .some((collection) => collection.manage);
+  }
+
   private refreshItems() {
     const collections: VaultItem[] = this.collections.map((collection) => ({ collection }));
     const ciphers: VaultItem[] = this.ciphers.map((cipher) => ({ cipher }));
@@ -267,37 +327,6 @@ export class VaultItemsComponent {
     return (canEditOrManageAllCiphers || this.allCiphersHaveEditAccess()) && collectionNotSelected;
   }
 
-  protected showDelete(): boolean {
-    if (this.selection.selected.length === 0) {
-      return true;
-    }
-
-    const hasPersonalItems = this.hasPersonalItems();
-    const uniqueCipherOrgIds = this.getUniqueOrganizationIds();
-    const organizations = Array.from(uniqueCipherOrgIds, (orgId) =>
-      this.allOrganizations.find((o) => o.id === orgId),
-    );
-
-    const canEditOrManageAllCiphers =
-      organizations.length > 0 && organizations.every((org) => org?.canEditAllCiphers);
-
-    const canDeleteCollections = this.selection.selected
-      .filter((item) => item.collection)
-      .every((item) => item.collection && this.canDeleteCollection(item.collection));
-
-    const userCanDeleteAccess =
-      (canEditOrManageAllCiphers || this.allCiphersHaveEditAccess()) && canDeleteCollections;
-
-    if (
-      userCanDeleteAccess ||
-      (hasPersonalItems && (!uniqueCipherOrgIds.size || userCanDeleteAccess))
-    ) {
-      return true;
-    }
-
-    return false;
-  }
-
   private hasPersonalItems(): boolean {
     return this.selection.selected.some(({ cipher }) => cipher?.organizationId === null);
   }