From 4d68952ef39255e2a252137add77c0082cd20944 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Fri, 14 Mar 2025 09:51:40 -0400
Subject: [PATCH] [PM-18089] Update cipher permissions model and consumers
 (#13606)

* update cipher permissions model and consumers

* add new property to tests

* fix test, add property to toCipherData()

* add missing ConfigService

* fix story

* refactor

* fix error, cleanup

* revert refactor

* refactor

* remove uneeded test

* cleanup

* fix build error

* refactor

* clean up

* add tests

* move validation check to after featrue flagged logic

* iterate on feedback

* feedback
---
 .../browser/src/background/main.background.ts |   1 +
 .../service-container/service-container.ts    |   1 +
 .../vault-item-dialog.component.ts            |  10 +-
 .../vault-cipher-row.component.html           |  21 +++-
 .../vault-items/vault-cipher-row.component.ts |  16 ++-
 .../vault-items/vault-items.component.html    |  26 ++++-
 .../vault-items/vault-items.component.ts      |  63 +++++++++++
 .../vault-items/vault-items.stories.ts        |  11 +-
 .../src/services/jslib-services.module.ts     |   7 +-
 .../models/api/cipher-permissions.api.ts      |  21 ++++
 .../src/vault/models/data/cipher.data.ts      |   7 +-
 .../src/vault/models/domain/cipher.spec.ts    |  18 +++
 libs/common/src/vault/models/domain/cipher.ts |   4 +
 .../vault/models/response/cipher.response.ts  |   3 +
 .../src/vault/models/view/cipher.view.ts      |   3 +
 .../cipher-authorization.service.spec.ts      | 104 ++++++++++++++++++
 .../services/cipher-authorization.service.ts  |  77 ++++++++++---
 .../src/vault/services/cipher.service.spec.ts |   2 +
 18 files changed, 372 insertions(+), 23 deletions(-)
 create mode 100644 libs/common/src/vault/models/api/cipher-permissions.api.ts

diff --git a/apps/browser/src/background/main.background.ts b/apps/browser/src/background/main.background.ts
index 713e3e3e353..807767455a5 100644
--- a/apps/browser/src/background/main.background.ts
+++ b/apps/browser/src/background/main.background.ts
@@ -1281,6 +1281,7 @@ export default class MainBackground {
       this.collectionService,
       this.organizationService,
       this.accountService,
+      this.configService,
     );
 
     this.inlineMenuFieldQualificationService = new InlineMenuFieldQualificationService();
diff --git a/apps/cli/src/service-container/service-container.ts b/apps/cli/src/service-container/service-container.ts
index 3beb01b563b..75a74d42bbd 100644
--- a/apps/cli/src/service-container/service-container.ts
+++ b/apps/cli/src/service-container/service-container.ts
@@ -845,6 +845,7 @@ export class ServiceContainer {
       this.collectionService,
       this.organizationService,
       this.accountService,
+      this.configService,
     );
 
     this.masterPasswordApiService = new MasterPasswordApiService(this.apiService, this.logService);
diff --git a/apps/web/src/app/vault/components/vault-item-dialog/vault-item-dialog.component.ts b/apps/web/src/app/vault/components/vault-item-dialog/vault-item-dialog.component.ts
index 881903e79e5..f7169d9dbd4 100644
--- a/apps/web/src/app/vault/components/vault-item-dialog/vault-item-dialog.component.ts
+++ b/apps/web/src/app/vault/components/vault-item-dialog/vault-item-dialog.component.ts
@@ -15,6 +15,8 @@ import { AccountService } from "@bitwarden/common/auth/abstractions/account.serv
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
 import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions";
 import { EventType } from "@bitwarden/common/enums";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
@@ -231,7 +233,10 @@ export class VaultItemDialogComponent implements OnInit, OnDestroy {
    * A user may restore items if they have delete permissions and the item is in the trash.
    */
   protected async canUserRestore() {
-    return this.isTrashFilter && this.cipher?.isDeleted && this.canDelete;
+    const featureFlagEnabled = await firstValueFrom(this.limitItemDeletion$);
+    return this.isTrashFilter && this.cipher?.isDeleted && featureFlagEnabled
+      ? this.cipher?.permissions.restore
+      : this.canDelete;
   }
 
   protected showRestore: boolean;
@@ -277,6 +282,8 @@ export class VaultItemDialogComponent implements OnInit, OnDestroy {
 
   protected canDelete = false;
 
+  protected limitItemDeletion$ = this.configService.getFeatureFlag$(FeatureFlag.LimitItemDeletion);
+
   constructor(
     @Inject(DIALOG_DATA) protected params: VaultItemDialogParams,
     private dialogRef: DialogRef<VaultItemDialogResult>,
@@ -294,6 +301,7 @@ export class VaultItemDialogComponent implements OnInit, OnDestroy {
     private apiService: ApiService,
     private eventCollectionService: EventCollectionService,
     private routedVaultFilterService: RoutedVaultFilterService,
+    private configService: ConfigService,
   ) {
     this.updateTitle();
   }
diff --git a/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html b/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html
index befeee43f69..ef6a347f7d3 100644
--- a/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html
+++ b/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html
@@ -86,7 +86,12 @@
     appStopProp
   ></button>
   <bit-menu #corruptedCipherOptions>
-    <button bitMenuItem *ngIf="canManageCollection" (click)="deleteCipher()" type="button">
+    <button
+      bitMenuItem
+      *ngIf="(limitItemDeletion$ | async) ? canDeleteCipher : canManageCollection"
+      (click)="deleteCipher()"
+      type="button"
+    >
       <span class="tw-text-danger">
         <i class="bwi bwi-fw bwi-trash" aria-hidden="true"></i>
         {{ (cipher.isDeleted ? "permanentlyDelete" : "delete") | i18n }}
@@ -151,11 +156,21 @@
       <i class="bwi bwi-fw bwi-file-text" aria-hidden="true"></i>
       {{ "eventLogs" | i18n }}
     </button>
-    <button bitMenuItem (click)="restore()" type="button" *ngIf="cipher.isDeleted">
+    <button
+      bitMenuItem
+      (click)="restore()"
+      type="button"
+      *ngIf="(limitItemDeletion$ | async) ? cipher.isDeleted && canRestoreCipher : cipher.isDeleted"
+    >
       <i class="bwi bwi-fw bwi-undo" aria-hidden="true"></i>
       {{ "restore" | i18n }}
     </button>
-    <button bitMenuItem *ngIf="canManageCollection" (click)="deleteCipher()" type="button">
+    <button
+      bitMenuItem
+      *ngIf="(limitItemDeletion$ | async) ? canDeleteCipher : canManageCollection"
+      (click)="deleteCipher()"
+      type="button"
+    >
       <span class="tw-text-danger">
         <i class="bwi bwi-fw bwi-trash" aria-hidden="true"></i>
         {{ (cipher.isDeleted ? "permanentlyDelete" : "delete") | i18n }}
diff --git a/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts b/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts
index 5f686fcec9c..317b02356ba 100644
--- a/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts
+++ b/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts
@@ -4,6 +4,8 @@ import { Component, EventEmitter, Input, OnInit, Output } from "@angular/core";
 
 import { CollectionView } from "@bitwarden/admin-console/common";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { CipherType } from "@bitwarden/common/vault/enums";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
@@ -36,12 +38,21 @@ export class VaultCipherRowComponent implements OnInit {
   @Input() canEditCipher: boolean;
   @Input() canAssignCollections: boolean;
   @Input() canManageCollection: boolean;
+  /**
+   * uses new permission delete logic from PM-15493
+   */
+  @Input() canDeleteCipher: boolean;
+  /**
+   * uses new permission restore logic from PM-15493
+   */
+  @Input() canRestoreCipher: boolean;
 
   @Output() onEvent = new EventEmitter<VaultItemEvent>();
 
   @Input() checked: boolean;
   @Output() checkedToggled = new EventEmitter<void>();
 
+  protected limitItemDeletion$ = this.configService.getFeatureFlag$(FeatureFlag.LimitItemDeletion);
   protected CipherType = CipherType;
   private permissionList = getPermissionList();
   private permissionPriority = [
@@ -53,7 +64,10 @@ export class VaultCipherRowComponent implements OnInit {
   ];
   protected organization?: Organization;
 
-  constructor(private i18nService: I18nService) {}
+  constructor(
+    private i18nService: I18nService,
+    private configService: ConfigService,
+  ) {}
 
   /**
    * Lifecycle hook for component initialization.
diff --git a/apps/web/src/app/vault/components/vault-items/vault-items.component.html b/apps/web/src/app/vault/components/vault-items/vault-items.component.html
index a32def5fc0c..0042dd4f304 100644
--- a/apps/web/src/app/vault/components/vault-items/vault-items.component.html
+++ b/apps/web/src/app/vault/components/vault-items/vault-items.component.html
@@ -86,11 +86,23 @@
               <i class="bwi bwi-fw bwi-collection" aria-hidden="true"></i>
               {{ "assignToCollections" | i18n }}
             </button>
-            <button *ngIf="showBulkTrashOptions" type="button" bitMenuItem (click)="bulkRestore()">
+            <button
+              *ngIf="
+                (limitItemDeletion$ | async) ? (canRestoreSelected$ | async) : showBulkTrashOptions
+              "
+              type="button"
+              bitMenuItem
+              (click)="bulkRestore()"
+            >
               <i class="bwi bwi-fw bwi-undo" aria-hidden="true"></i>
               {{ "restoreSelected" | i18n }}
             </button>
-            <button *ngIf="showDelete" type="button" bitMenuItem (click)="bulkDelete()">
+            <button
+              *ngIf="(limitItemDeletion$ | async) ? (canDeleteSelected$ | async) : showDelete"
+              type="button"
+              bitMenuItem
+              (click)="bulkDelete()"
+            >
               <span class="tw-text-danger">
                 <i class="bwi bwi-fw bwi-trash" aria-hidden="true"></i>
                 {{ (showBulkTrashOptions ? "permanentlyDeleteSelected" : "delete") | i18n }}
@@ -146,6 +158,16 @@
           [canEditCipher]="canEditCipher(item.cipher)"
           [canAssignCollections]="canAssignCollections(item.cipher)"
           [canManageCollection]="canManageCollection(item.cipher)"
+          [canDeleteCipher]="
+            cipherAuthorizationService.canDeleteCipher$(
+              item.cipher,
+              [item.cipher.collectionId],
+              showAdminActions
+            ) | async
+          "
+          [canRestoreCipher]="
+            cipherAuthorizationService.canRestoreCipher$(item.cipher, showAdminActions) | async
+          "
           (checkedToggled)="selection.toggle(item)"
           (onEvent)="event($event)"
         ></tr>
diff --git a/apps/web/src/app/vault/components/vault-items/vault-items.component.ts b/apps/web/src/app/vault/components/vault-items/vault-items.component.ts
index a641c5b5908..2fcaa8d74af 100644
--- a/apps/web/src/app/vault/components/vault-items/vault-items.component.ts
+++ b/apps/web/src/app/vault/components/vault-items/vault-items.component.ts
@@ -2,10 +2,14 @@
 // @ts-strict-ignore
 import { SelectionModel } from "@angular/cdk/collections";
 import { Component, EventEmitter, Input, Output } from "@angular/core";
+import { Observable, combineLatest, map, of, startWith, switchMap } from "rxjs";
 
 import { CollectionView, Unassigned, CollectionAdminView } from "@bitwarden/admin-console/common";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
+import { CipherAuthorizationService } from "@bitwarden/common/vault/services/cipher-authorization.service";
 import { SortDirection, TableDataSource } from "@bitwarden/components";
 
 import { GroupView } from "../../../admin-console/organizations/core";
@@ -75,9 +79,67 @@ export class VaultItemsComponent {
 
   @Output() onEvent = new EventEmitter<VaultItemEvent>();
 
+  protected limitItemDeletion$ = this.configService.getFeatureFlag$(FeatureFlag.LimitItemDeletion);
   protected editableItems: VaultItem[] = [];
   protected dataSource = new TableDataSource<VaultItem>();
   protected selection = new SelectionModel<VaultItem>(true, [], true);
+  protected canDeleteSelected$: Observable<boolean>;
+  protected canRestoreSelected$: Observable<boolean>;
+
+  constructor(
+    protected cipherAuthorizationService: CipherAuthorizationService,
+    private configService: ConfigService,
+  ) {
+    this.canDeleteSelected$ = this.selection.changed.pipe(
+      startWith(null),
+      switchMap(() => {
+        const ciphers = this.selection.selected
+          .filter((item) => item.cipher)
+          .map((item) => item.cipher);
+
+        if (this.selection.selected.length === 0) {
+          return of(true);
+        }
+
+        const canDeleteCiphers$ = ciphers.map((c) =>
+          cipherAuthorizationService.canDeleteCipher$(c, [], this.showAdminActions),
+        );
+
+        const canDeleteCollections = this.selection.selected
+          .filter((item) => item.collection)
+          .every((item) => item.collection && this.canDeleteCollection(item.collection));
+
+        const canDelete$ = combineLatest(canDeleteCiphers$).pipe(
+          map((results) => results.every((item) => item) && canDeleteCollections),
+        );
+
+        return canDelete$;
+      }),
+    );
+
+    this.canRestoreSelected$ = this.selection.changed.pipe(
+      startWith(null),
+      switchMap(() => {
+        const ciphers = this.selection.selected
+          .filter((item) => item.cipher)
+          .map((item) => item.cipher);
+
+        if (this.selection.selected.length === 0) {
+          return of(true);
+        }
+
+        const canRestoreCiphers$ = ciphers.map((c) =>
+          cipherAuthorizationService.canRestoreCipher$(c, this.showAdminActions),
+        );
+
+        const canRestore$ = combineLatest(canRestoreCiphers$).pipe(
+          map((results) => results.every((item) => item)),
+        );
+
+        return canRestore$;
+      }),
+    );
+  }
 
   get showExtraColumn() {
     return this.showCollections || this.showGroups || this.showOwner;
@@ -99,6 +161,7 @@ export class VaultItemsComponent {
     );
   }
 
+  //@TODO: remove this function when removing the limitItemDeletion$ feature flag.
   get showDelete(): boolean {
     if (this.selection.selected.length === 0) {
       return true;
diff --git a/apps/web/src/app/vault/components/vault-items/vault-items.stories.ts b/apps/web/src/app/vault/components/vault-items/vault-items.stories.ts
index b1fc9e31bca..f2529bc7a5c 100644
--- a/apps/web/src/app/vault/components/vault-items/vault-items.stories.ts
+++ b/apps/web/src/app/vault/components/vault-items/vault-items.stories.ts
@@ -28,6 +28,7 @@ import { AttachmentView } from "@bitwarden/common/vault/models/view/attachment.v
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { LoginUriView } from "@bitwarden/common/vault/models/view/login-uri.view";
 import { LoginView } from "@bitwarden/common/vault/models/view/login.view";
+import { CipherAuthorizationService } from "@bitwarden/common/vault/services/cipher-authorization.service";
 
 import { GroupView } from "../../../admin-console/organizations/core";
 import { PreloadedEnglishI18nModule } from "../../../core/tests";
@@ -104,12 +105,20 @@ export default {
         {
           provide: ConfigService,
           useValue: {
-            getFeatureFlag() {
+            getFeatureFlag$() {
               // does not currently affect any display logic, default all to OFF
               return false;
             },
           },
         },
+        {
+          provide: CipherAuthorizationService,
+          useValue: {
+            canDeleteCipher$() {
+              return of(true);
+            },
+          },
+        },
       ],
     }),
     applicationConfig({
diff --git a/libs/angular/src/services/jslib-services.module.ts b/libs/angular/src/services/jslib-services.module.ts
index d67bfb4a312..4b4173c6a05 100644
--- a/libs/angular/src/services/jslib-services.module.ts
+++ b/libs/angular/src/services/jslib-services.module.ts
@@ -1424,7 +1424,12 @@ const safeProviders: SafeProvider[] = [
   safeProvider({
     provide: CipherAuthorizationService,
     useClass: DefaultCipherAuthorizationService,
-    deps: [CollectionService, OrganizationServiceAbstraction, AccountServiceAbstraction],
+    deps: [
+      CollectionService,
+      OrganizationServiceAbstraction,
+      AccountServiceAbstraction,
+      ConfigService,
+    ],
   }),
   safeProvider({
     provide: AuthRequestApiService,
diff --git a/libs/common/src/vault/models/api/cipher-permissions.api.ts b/libs/common/src/vault/models/api/cipher-permissions.api.ts
new file mode 100644
index 00000000000..4df7f891e26
--- /dev/null
+++ b/libs/common/src/vault/models/api/cipher-permissions.api.ts
@@ -0,0 +1,21 @@
+import { Jsonify } from "type-fest";
+
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class CipherPermissionsApi extends BaseResponse {
+  delete: boolean = false;
+  restore: boolean = false;
+
+  constructor(data: any = null) {
+    super(data);
+    if (data == null) {
+      return;
+    }
+    this.delete = this.getResponseProperty("Delete");
+    this.restore = this.getResponseProperty("Restore");
+  }
+
+  static fromJSON(obj: Jsonify<CipherPermissionsApi>) {
+    return Object.assign(new CipherPermissionsApi(), obj);
+  }
+}
diff --git a/libs/common/src/vault/models/data/cipher.data.ts b/libs/common/src/vault/models/data/cipher.data.ts
index 1c86f91c82f..ee5e5b3e72b 100644
--- a/libs/common/src/vault/models/data/cipher.data.ts
+++ b/libs/common/src/vault/models/data/cipher.data.ts
@@ -4,6 +4,7 @@ import { Jsonify } from "type-fest";
 
 import { CipherRepromptType } from "../../enums/cipher-reprompt-type";
 import { CipherType } from "../../enums/cipher-type";
+import { CipherPermissionsApi } from "../api/cipher-permissions.api";
 import { CipherResponse } from "../response/cipher.response";
 
 import { AttachmentData } from "./attachment.data";
@@ -21,6 +22,7 @@ export class CipherData {
   folderId: string;
   edit: boolean;
   viewPassword: boolean;
+  permissions: CipherPermissionsApi;
   organizationUseTotp: boolean;
   favorite: boolean;
   revisionDate: string;
@@ -51,6 +53,7 @@ export class CipherData {
     this.folderId = response.folderId;
     this.edit = response.edit;
     this.viewPassword = response.viewPassword;
+    this.permissions = response.permissions;
     this.organizationUseTotp = response.organizationUseTotp;
     this.favorite = response.favorite;
     this.revisionDate = response.revisionDate;
@@ -95,6 +98,8 @@ export class CipherData {
   }
 
   static fromJSON(obj: Jsonify<CipherData>) {
-    return Object.assign(new CipherData(), obj);
+    const result = Object.assign(new CipherData(), obj);
+    result.permissions = CipherPermissionsApi.fromJSON(obj.permissions);
+    return result;
   }
 }
diff --git a/libs/common/src/vault/models/domain/cipher.spec.ts b/libs/common/src/vault/models/domain/cipher.spec.ts
index 9eadd20f543..1b2b093a553 100644
--- a/libs/common/src/vault/models/domain/cipher.spec.ts
+++ b/libs/common/src/vault/models/domain/cipher.spec.ts
@@ -26,6 +26,7 @@ import { SecureNote } from "../../models/domain/secure-note";
 import { CardView } from "../../models/view/card.view";
 import { IdentityView } from "../../models/view/identity.view";
 import { LoginView } from "../../models/view/login.view";
+import { CipherPermissionsApi } from "../api/cipher-permissions.api";
 
 describe("Cipher DTO", () => {
   it("Convert from empty CipherData", () => {
@@ -54,6 +55,7 @@ describe("Cipher DTO", () => {
       fields: null,
       passwordHistory: null,
       key: null,
+      permissions: undefined,
     });
   });
 
@@ -75,6 +77,7 @@ describe("Cipher DTO", () => {
         notes: "EncryptedString",
         creationDate: "2022-01-01T12:00:00.000Z",
         deletedDate: null,
+        permissions: new CipherPermissionsApi(),
         reprompt: CipherRepromptType.None,
         key: "EncryptedString",
         login: {
@@ -149,6 +152,7 @@ describe("Cipher DTO", () => {
         localData: null,
         creationDate: new Date("2022-01-01T12:00:00.000Z"),
         deletedDate: null,
+        permissions: new CipherPermissionsApi(),
         reprompt: 0,
         key: { encryptedString: "EncryptedString", encryptionType: 0 },
         login: {
@@ -228,6 +232,7 @@ describe("Cipher DTO", () => {
       cipher.deletedDate = null;
       cipher.reprompt = CipherRepromptType.None;
       cipher.key = mockEnc("EncKey");
+      cipher.permissions = new CipherPermissionsApi();
 
       const loginView = new LoginView();
       loginView.username = "username";
@@ -270,6 +275,7 @@ describe("Cipher DTO", () => {
         deletedDate: null,
         reprompt: 0,
         localData: undefined,
+        permissions: new CipherPermissionsApi(),
       });
     });
   });
@@ -297,6 +303,7 @@ describe("Cipher DTO", () => {
         secureNote: {
           type: SecureNoteType.Generic,
         },
+        permissions: new CipherPermissionsApi(),
       };
     });
 
@@ -326,6 +333,7 @@ describe("Cipher DTO", () => {
         fields: null,
         passwordHistory: null,
         key: { encryptedString: "EncKey", encryptionType: 0 },
+        permissions: new CipherPermissionsApi(),
       });
     });
 
@@ -353,6 +361,7 @@ describe("Cipher DTO", () => {
       cipher.secureNote = new SecureNote();
       cipher.secureNote.type = SecureNoteType.Generic;
       cipher.key = mockEnc("EncKey");
+      cipher.permissions = new CipherPermissionsApi();
 
       const keyService = mock<KeyService>();
       const encryptService = mock<EncryptService>();
@@ -387,6 +396,7 @@ describe("Cipher DTO", () => {
         deletedDate: null,
         reprompt: 0,
         localData: undefined,
+        permissions: new CipherPermissionsApi(),
       });
     });
   });
@@ -409,6 +419,7 @@ describe("Cipher DTO", () => {
         notes: "EncryptedString",
         creationDate: "2022-01-01T12:00:00.000Z",
         deletedDate: null,
+        permissions: new CipherPermissionsApi(),
         reprompt: CipherRepromptType.None,
         card: {
           cardholderName: "EncryptedString",
@@ -455,6 +466,7 @@ describe("Cipher DTO", () => {
         fields: null,
         passwordHistory: null,
         key: { encryptedString: "EncKey", encryptionType: 0 },
+        permissions: new CipherPermissionsApi(),
       });
     });
 
@@ -480,6 +492,7 @@ describe("Cipher DTO", () => {
       cipher.deletedDate = null;
       cipher.reprompt = CipherRepromptType.None;
       cipher.key = mockEnc("EncKey");
+      cipher.permissions = new CipherPermissionsApi();
 
       const cardView = new CardView();
       cardView.cardholderName = "cardholderName";
@@ -522,6 +535,7 @@ describe("Cipher DTO", () => {
         deletedDate: null,
         reprompt: 0,
         localData: undefined,
+        permissions: new CipherPermissionsApi(),
       });
     });
   });
@@ -544,6 +558,7 @@ describe("Cipher DTO", () => {
         notes: "EncryptedString",
         creationDate: "2022-01-01T12:00:00.000Z",
         deletedDate: null,
+        permissions: new CipherPermissionsApi(),
         reprompt: CipherRepromptType.None,
         key: "EncKey",
         identity: {
@@ -614,6 +629,7 @@ describe("Cipher DTO", () => {
         fields: null,
         passwordHistory: null,
         key: { encryptedString: "EncKey", encryptionType: 0 },
+        permissions: new CipherPermissionsApi(),
       });
     });
 
@@ -639,6 +655,7 @@ describe("Cipher DTO", () => {
       cipher.deletedDate = null;
       cipher.reprompt = CipherRepromptType.None;
       cipher.key = mockEnc("EncKey");
+      cipher.permissions = new CipherPermissionsApi();
 
       const identityView = new IdentityView();
       identityView.firstName = "firstName";
@@ -681,6 +698,7 @@ describe("Cipher DTO", () => {
         deletedDate: null,
         reprompt: 0,
         localData: undefined,
+        permissions: new CipherPermissionsApi(),
       });
     });
   });
diff --git a/libs/common/src/vault/models/domain/cipher.ts b/libs/common/src/vault/models/domain/cipher.ts
index c08ec8a4ebc..f23e3c0c579 100644
--- a/libs/common/src/vault/models/domain/cipher.ts
+++ b/libs/common/src/vault/models/domain/cipher.ts
@@ -10,6 +10,7 @@ import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-cr
 import { InitializerKey } from "../../../platform/services/cryptography/initializer-key";
 import { CipherRepromptType } from "../../enums/cipher-reprompt-type";
 import { CipherType } from "../../enums/cipher-type";
+import { CipherPermissionsApi } from "../api/cipher-permissions.api";
 import { CipherData } from "../data/cipher.data";
 import { LocalData } from "../data/local.data";
 import { AttachmentView } from "../view/attachment.view";
@@ -39,6 +40,7 @@ export class Cipher extends Domain implements Decryptable<CipherView> {
   organizationUseTotp: boolean;
   edit: boolean;
   viewPassword: boolean;
+  permissions: CipherPermissionsApi;
   revisionDate: Date;
   localData: LocalData;
   login: Login;
@@ -84,6 +86,7 @@ export class Cipher extends Domain implements Decryptable<CipherView> {
     } else {
       this.viewPassword = true; // Default for already synced Ciphers without viewPassword
     }
+    this.permissions = obj.permissions;
     this.revisionDate = obj.revisionDate != null ? new Date(obj.revisionDate) : null;
     this.collectionIds = obj.collectionIds;
     this.localData = localData;
@@ -244,6 +247,7 @@ export class Cipher extends Domain implements Decryptable<CipherView> {
     c.deletedDate = this.deletedDate != null ? this.deletedDate.toISOString() : null;
     c.reprompt = this.reprompt;
     c.key = this.key?.encryptedString;
+    c.permissions = this.permissions;
 
     this.buildDataModel(this, c, {
       name: null,
diff --git a/libs/common/src/vault/models/response/cipher.response.ts b/libs/common/src/vault/models/response/cipher.response.ts
index ee0d36aed97..944a19e088b 100644
--- a/libs/common/src/vault/models/response/cipher.response.ts
+++ b/libs/common/src/vault/models/response/cipher.response.ts
@@ -3,6 +3,7 @@
 import { BaseResponse } from "../../../models/response/base.response";
 import { CipherRepromptType } from "../../enums/cipher-reprompt-type";
 import { CardApi } from "../api/card.api";
+import { CipherPermissionsApi } from "../api/cipher-permissions.api";
 import { FieldApi } from "../api/field.api";
 import { IdentityApi } from "../api/identity.api";
 import { LoginApi } from "../api/login.api";
@@ -28,6 +29,7 @@ export class CipherResponse extends BaseResponse {
   favorite: boolean;
   edit: boolean;
   viewPassword: boolean;
+  permissions: CipherPermissionsApi;
   organizationUseTotp: boolean;
   revisionDate: string;
   attachments: AttachmentResponse[];
@@ -53,6 +55,7 @@ export class CipherResponse extends BaseResponse {
     } else {
       this.viewPassword = this.getResponseProperty("ViewPassword");
     }
+    this.permissions = new CipherPermissionsApi(this.getResponseProperty("Permissions"));
     this.organizationUseTotp = this.getResponseProperty("OrganizationUseTotp");
     this.revisionDate = this.getResponseProperty("RevisionDate");
     this.collectionIds = this.getResponseProperty("CollectionIds");
diff --git a/libs/common/src/vault/models/view/cipher.view.ts b/libs/common/src/vault/models/view/cipher.view.ts
index 650a1e9dc45..7ddba9e2ed5 100644
--- a/libs/common/src/vault/models/view/cipher.view.ts
+++ b/libs/common/src/vault/models/view/cipher.view.ts
@@ -6,6 +6,7 @@ import { InitializerKey } from "../../../platform/services/cryptography/initiali
 import { DeepJsonify } from "../../../types/deep-jsonify";
 import { CipherType, LinkedIdType } from "../../enums";
 import { CipherRepromptType } from "../../enums/cipher-reprompt-type";
+import { CipherPermissionsApi } from "../api/cipher-permissions.api";
 import { LocalData } from "../data/local.data";
 import { Cipher } from "../domain/cipher";
 
@@ -29,6 +30,7 @@ export class CipherView implements View, InitializerMetadata {
   type: CipherType = null;
   favorite = false;
   organizationUseTotp = false;
+  permissions: CipherPermissionsApi = new CipherPermissionsApi();
   edit = false;
   viewPassword = true;
   localData: LocalData;
@@ -63,6 +65,7 @@ export class CipherView implements View, InitializerMetadata {
     this.organizationUseTotp = c.organizationUseTotp;
     this.edit = c.edit;
     this.viewPassword = c.viewPassword;
+    this.permissions = c.permissions;
     this.type = c.type;
     this.localData = c.localData;
     this.collectionIds = c.collectionIds;
diff --git a/libs/common/src/vault/services/cipher-authorization.service.spec.ts b/libs/common/src/vault/services/cipher-authorization.service.spec.ts
index 37ddfdeaeeb..33af28842ca 100644
--- a/libs/common/src/vault/services/cipher-authorization.service.spec.ts
+++ b/libs/common/src/vault/services/cipher-authorization.service.spec.ts
@@ -8,6 +8,8 @@ import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { CollectionId, UserId } from "@bitwarden/common/types/guid";
 
 import { FakeAccountService, mockAccountServiceWith } from "../../../spec";
+import { ConfigService } from "../../platform/abstractions/config/config.service";
+import { CipherPermissionsApi } from "../models/api/cipher-permissions.api";
 import { CipherView } from "../models/view/cipher.view";
 
 import {
@@ -20,6 +22,7 @@ describe("CipherAuthorizationService", () => {
 
   const mockCollectionService = mock<CollectionService>();
   const mockOrganizationService = mock<OrganizationService>();
+  const mockConfigService = mock<ConfigService>();
   const mockUserId = Utils.newGuid() as UserId;
   let mockAccountService: FakeAccountService;
 
@@ -28,10 +31,12 @@ describe("CipherAuthorizationService", () => {
     organizationId: string | null,
     collectionIds: string[],
     edit: boolean = true,
+    permissions: CipherPermissionsApi = new CipherPermissionsApi(),
   ) => ({
     organizationId,
     collectionIds,
     edit,
+    permissions,
   });
 
   const createMockCollection = (id: string, manage: boolean) => ({
@@ -63,7 +68,78 @@ describe("CipherAuthorizationService", () => {
       mockCollectionService,
       mockOrganizationService,
       mockAccountService,
+      mockConfigService,
     );
+
+    mockConfigService.getFeatureFlag$.mockReturnValue(of(false));
+  });
+
+  describe("canRestoreCipher$", () => {
+    it("should return true if isAdminConsoleAction and cipher is unassigned", (done) => {
+      const cipher = createMockCipher("org1", []) as CipherView;
+      const organization = createMockOrganization({ canEditUnassignedCiphers: true });
+      mockOrganizationService.organizations$.mockReturnValue(
+        of([organization]) as Observable<Organization[]>,
+      );
+
+      cipherAuthorizationService.canRestoreCipher$(cipher, true).subscribe((result) => {
+        expect(result).toBe(true);
+        done();
+      });
+    });
+
+    it("should return true if isAdminConsleAction and user can edit all ciphers in the org", (done) => {
+      const cipher = createMockCipher("org1", ["col1"]) as CipherView;
+      const organization = createMockOrganization({ canEditAllCiphers: true });
+      mockOrganizationService.organizations$.mockReturnValue(
+        of([organization]) as Observable<Organization[]>,
+      );
+
+      cipherAuthorizationService.canRestoreCipher$(cipher, true).subscribe((result) => {
+        expect(result).toBe(true);
+        expect(mockOrganizationService.organizations$).toHaveBeenCalledWith(mockUserId);
+        done();
+      });
+    });
+
+    it("should return false if isAdminConsoleAction is true but user does not have permission to edit unassigned ciphers", (done) => {
+      const cipher = createMockCipher("org1", []) as CipherView;
+      const organization = createMockOrganization({ canEditUnassignedCiphers: false });
+      mockOrganizationService.organizations$.mockReturnValue(of([organization] as Organization[]));
+
+      cipherAuthorizationService.canRestoreCipher$(cipher, true).subscribe((result) => {
+        expect(result).toBe(false);
+        done();
+      });
+    });
+
+    it("should return false if cipher.permission.restore is false and is not an admin action", (done) => {
+      const cipher = createMockCipher("org1", [], true, {
+        restore: false,
+      } as CipherPermissionsApi) as CipherView;
+      const organization = createMockOrganization();
+      mockOrganizationService.organizations$.mockReturnValue(of([organization] as Organization[]));
+
+      cipherAuthorizationService.canRestoreCipher$(cipher, false).subscribe((result) => {
+        expect(result).toBe(false);
+        expect(mockCollectionService.decryptedCollectionViews$).not.toHaveBeenCalled();
+        done();
+      });
+    });
+
+    it("should return true if cipher.permission.restore is true and is not an admin action", (done) => {
+      const cipher = createMockCipher("org1", [], true, {
+        restore: true,
+      } as CipherPermissionsApi) as CipherView;
+      const organization = createMockOrganization();
+      mockOrganizationService.organizations$.mockReturnValue(of([organization] as Organization[]));
+
+      cipherAuthorizationService.canRestoreCipher$(cipher, false).subscribe((result) => {
+        expect(result).toBe(true);
+        expect(mockCollectionService.decryptedCollectionViews$).not.toHaveBeenCalled();
+        done();
+      });
+    });
   });
 
   describe("canDeleteCipher$", () => {
@@ -213,6 +289,34 @@ describe("CipherAuthorizationService", () => {
         done();
       });
     });
+
+    it("should return true if feature flag enabled and cipher.permissions.delete is true", (done) => {
+      const cipher = createMockCipher("org1", [], true, {
+        delete: true,
+      } as CipherPermissionsApi) as CipherView;
+      const organization = createMockOrganization();
+      mockOrganizationService.organizations$.mockReturnValue(of([organization] as Organization[]));
+      mockConfigService.getFeatureFlag$.mockReturnValue(of(true));
+
+      cipherAuthorizationService.canDeleteCipher$(cipher, [], false).subscribe((result) => {
+        expect(result).toBe(true);
+        expect(mockCollectionService.decryptedCollectionViews$).not.toHaveBeenCalled();
+        done();
+      });
+    });
+
+    it("should return false if feature flag enabled and cipher.permissions.delete is false", (done) => {
+      const cipher = createMockCipher("org1", []) as CipherView;
+      const organization = createMockOrganization();
+      mockOrganizationService.organizations$.mockReturnValue(of([organization] as Organization[]));
+      mockConfigService.getFeatureFlag$.mockReturnValue(of(true));
+
+      cipherAuthorizationService.canDeleteCipher$(cipher, [], false).subscribe((result) => {
+        expect(result).toBe(false);
+        expect(mockCollectionService.decryptedCollectionViews$).not.toHaveBeenCalled();
+        done();
+      });
+    });
   });
 
   describe("canCloneCipher$", () => {
diff --git a/libs/common/src/vault/services/cipher-authorization.service.ts b/libs/common/src/vault/services/cipher-authorization.service.ts
index fbee3ed8622..b415760a035 100644
--- a/libs/common/src/vault/services/cipher-authorization.service.ts
+++ b/libs/common/src/vault/services/cipher-authorization.service.ts
@@ -1,12 +1,13 @@
-// FIXME: Update this file to be type safe and remove this and next line
-// @ts-strict-ignore
-import { map, Observable, of, shareReplay, switchMap } from "rxjs";
+import { combineLatest, map, Observable, of, shareReplay, switchMap } from "rxjs";
 
 import { CollectionService } from "@bitwarden/admin-console/common";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { CollectionId } from "@bitwarden/common/types/guid";
 
+import { getUserId } from "../../auth/services/account.service";
+import { FeatureFlag } from "../../enums/feature-flag.enum";
 import { Cipher } from "../models/domain/cipher";
 import { CipherView } from "../models/view/cipher.view";
 
@@ -28,12 +29,25 @@ export abstract class CipherAuthorizationService {
    *
    * @returns {Observable<boolean>} - An observable that emits a boolean value indicating if the user can delete the cipher.
    */
-  canDeleteCipher$: (
+  abstract canDeleteCipher$: (
     cipher: CipherLike,
     allowedCollections?: CollectionId[],
     isAdminConsoleAction?: boolean,
   ) => Observable<boolean>;
 
+  /**
+   * Determines if the user can restore the specified cipher.
+   *
+   * @param {CipherLike} cipher - The cipher object to evaluate for restore permissions.
+   * @param {boolean} isAdminConsoleAction - Optional. A flag indicating if the action is being performed from the admin console.
+   *
+   * @returns {Observable<boolean>} - An observable that emits a boolean value indicating if the user can restore the cipher.
+   */
+  abstract canRestoreCipher$: (
+    cipher: CipherLike,
+    isAdminConsoleAction?: boolean,
+  ) => Observable<boolean>;
+
   /**
    * Determines if the user can clone the specified cipher.
    *
@@ -42,7 +56,10 @@ export abstract class CipherAuthorizationService {
    *
    * @returns {Observable<boolean>} - An observable that emits a boolean value indicating if the user can clone the cipher.
    */
-  canCloneCipher$: (cipher: CipherLike, isAdminConsoleAction?: boolean) => Observable<boolean>;
+  abstract canCloneCipher$: (
+    cipher: CipherLike,
+    isAdminConsoleAction?: boolean,
+  ) => Observable<boolean>;
 }
 
 /**
@@ -53,13 +70,16 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
     private collectionService: CollectionService,
     private organizationService: OrganizationService,
     private accountService: AccountService,
+    private configService: ConfigService,
   ) {}
 
   private organization$ = (cipher: CipherLike) =>
     this.accountService.activeAccount$.pipe(
-      switchMap((account) => this.organizationService.organizations$(account?.id)),
+      getUserId,
+      switchMap((userId) => this.organizationService.organizations$(userId)),
       map((orgs) => orgs.find((org) => org.id === cipher.organizationId)),
     );
+
   /**
    *
    * {@link CipherAuthorizationService.canDeleteCipher$}
@@ -69,12 +89,11 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
     allowedCollections?: CollectionId[],
     isAdminConsoleAction?: boolean,
   ): Observable<boolean> {
-    if (cipher.organizationId == null) {
-      return of(true);
-    }
-
-    return this.organization$(cipher).pipe(
-      switchMap((organization) => {
+    return combineLatest([
+      this.organization$(cipher),
+      this.configService.getFeatureFlag$(FeatureFlag.LimitItemDeletion),
+    ]).pipe(
+      switchMap(([organization, featureFlagEnabled]) => {
         if (isAdminConsoleAction) {
           // If the user is an admin, they can delete an unassigned cipher
           if (!cipher.collectionIds || cipher.collectionIds.length === 0) {
@@ -86,6 +105,14 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
           }
         }
 
+        if (featureFlagEnabled) {
+          return of(cipher.permissions.delete);
+        }
+
+        if (cipher.organizationId == null) {
+          return of(true);
+        }
+
         return this.collectionService
           .decryptedCollectionViews$(cipher.collectionIds as CollectionId[])
           .pipe(
@@ -93,7 +120,7 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
               const shouldFilter = allowedCollections?.some(Boolean);
 
               const collections = shouldFilter
-                ? allCollections.filter((c) => allowedCollections.includes(c.id as CollectionId))
+                ? allCollections.filter((c) => allowedCollections?.includes(c.id as CollectionId))
                 : allCollections;
 
               return collections.some((collection) => collection.manage);
@@ -103,6 +130,29 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
     );
   }
 
+  /**
+   *
+   * {@link CipherAuthorizationService.canRestoreCipher$}
+   */
+  canRestoreCipher$(cipher: CipherLike, isAdminConsoleAction?: boolean): Observable<boolean> {
+    return this.organization$(cipher).pipe(
+      map((organization) => {
+        if (isAdminConsoleAction) {
+          // If the user is an admin, they can restore an unassigned cipher
+          if (!cipher.collectionIds || cipher.collectionIds.length === 0) {
+            return organization?.canEditUnassignedCiphers === true;
+          }
+
+          if (organization?.canEditAllCiphers) {
+            return true;
+          }
+        }
+
+        return cipher.permissions.restore;
+      }),
+    );
+  }
+
   /**
    * {@link CipherAuthorizationService.canCloneCipher$}
    */
@@ -116,6 +166,7 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
         // Admins and custom users can always clone when in the Admin Console
         if (
           isAdminConsoleAction &&
+          organization &&
           (organization.isAdmin || organization.permissions?.editAnyCollection)
         ) {
           return of(true);
diff --git a/libs/common/src/vault/services/cipher.service.spec.ts b/libs/common/src/vault/services/cipher.service.spec.ts
index 107c2d58766..def0c04dd16 100644
--- a/libs/common/src/vault/services/cipher.service.spec.ts
+++ b/libs/common/src/vault/services/cipher.service.spec.ts
@@ -27,6 +27,7 @@ import { CipherFileUploadService } from "../abstractions/file-upload/cipher-file
 import { FieldType } from "../enums";
 import { CipherRepromptType } from "../enums/cipher-reprompt-type";
 import { CipherType } from "../enums/cipher-type";
+import { CipherPermissionsApi } from "../models/api/cipher-permissions.api";
 import { CipherData } from "../models/data/cipher.data";
 import { Cipher } from "../models/domain/cipher";
 import { CipherCreateRequest } from "../models/request/cipher-create.request";
@@ -57,6 +58,7 @@ const cipherData: CipherData = {
   notes: "EncryptedString",
   creationDate: "2022-01-01T12:00:00.000Z",
   deletedDate: null,
+  permissions: new CipherPermissionsApi(),
   key: "EncKey",
   reprompt: CipherRepromptType.None,
   login: {