[PM-18089] Update cipher permissions model and consumers (#13606)

* update cipher permissions model and consumers * add new property to tests * fix test, add property to toCipherData() * add missing ConfigService * fix story * refactor * fix error, cleanup * revert refactor * refactor * remove uneeded test * cleanup * fix build error * refactor * clean up * add tests * move validation check to after featrue flagged logic * iterate on feedback * feedback
2025-12-14 07:13:32 +00:00 · 2025-03-14 09:51:40 -04:00
parent b73e6cf2fe
commit 4d68952ef3
18 changed files with 372 additions and 23 deletions
--- a/libs/common/src/vault/services/cipher-authorization.service.ts
+++ b/libs/common/src/vault/services/cipher-authorization.service.ts
@@ -1,12 +1,13 @@
-// FIXME: Update this file to be type safe and remove this and next line
-// @ts-strict-ignore
-import { map, Observable, of, shareReplay, switchMap } from "rxjs";
+import { combineLatest, map, Observable, of, shareReplay, switchMap } from "rxjs";

 import { CollectionService } from "@bitwarden/admin-console/common";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { CollectionId } from "@bitwarden/common/types/guid";

+import { getUserId } from "../../auth/services/account.service";
+import { FeatureFlag } from "../../enums/feature-flag.enum";
 import { Cipher } from "../models/domain/cipher";
 import { CipherView } from "../models/view/cipher.view";

@@ -28,12 +29,25 @@ export abstract class CipherAuthorizationService {
   *
   * @returns {Observable<boolean>} - An observable that emits a boolean value indicating if the user can delete the cipher.
   */
-  canDeleteCipher$: (
+  abstract canDeleteCipher$: (
    cipher: CipherLike,
    allowedCollections?: CollectionId[],
    isAdminConsoleAction?: boolean,
  ) => Observable<boolean>;

+  /**
+   * Determines if the user can restore the specified cipher.
+   *
+   * @param {CipherLike} cipher - The cipher object to evaluate for restore permissions.
+   * @param {boolean} isAdminConsoleAction - Optional. A flag indicating if the action is being performed from the admin console.
+   *
+   * @returns {Observable<boolean>} - An observable that emits a boolean value indicating if the user can restore the cipher.
+   */
+  abstract canRestoreCipher$: (
+    cipher: CipherLike,
+    isAdminConsoleAction?: boolean,
+  ) => Observable<boolean>;
+
  /**
   * Determines if the user can clone the specified cipher.
   *
@@ -42,7 +56,10 @@ export abstract class CipherAuthorizationService {
   *
   * @returns {Observable<boolean>} - An observable that emits a boolean value indicating if the user can clone the cipher.
   */
-  canCloneCipher$: (cipher: CipherLike, isAdminConsoleAction?: boolean) => Observable<boolean>;
+  abstract canCloneCipher$: (
+    cipher: CipherLike,
+    isAdminConsoleAction?: boolean,
+  ) => Observable<boolean>;
 }

 /**
@@ -53,13 +70,16 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
    private collectionService: CollectionService,
    private organizationService: OrganizationService,
    private accountService: AccountService,
+    private configService: ConfigService,
  ) {}

  private organization$ = (cipher: CipherLike) =>
    this.accountService.activeAccount$.pipe(
-      switchMap((account) => this.organizationService.organizations$(account?.id)),
+      getUserId,
+      switchMap((userId) => this.organizationService.organizations$(userId)),
      map((orgs) => orgs.find((org) => org.id === cipher.organizationId)),
    );
+
  /**
   *
   * {@link CipherAuthorizationService.canDeleteCipher$}
@@ -69,12 +89,11 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
    allowedCollections?: CollectionId[],
    isAdminConsoleAction?: boolean,
  ): Observable<boolean> {
-    if (cipher.organizationId == null) {
-      return of(true);
-    }
-
-    return this.organization$(cipher).pipe(
-      switchMap((organization) => {
+    return combineLatest([
+      this.organization$(cipher),
+      this.configService.getFeatureFlag$(FeatureFlag.LimitItemDeletion),
+    ]).pipe(
+      switchMap(([organization, featureFlagEnabled]) => {
        if (isAdminConsoleAction) {
          // If the user is an admin, they can delete an unassigned cipher
          if (!cipher.collectionIds || cipher.collectionIds.length === 0) {
@@ -86,6 +105,14 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
          }
        }

+        if (featureFlagEnabled) {
+          return of(cipher.permissions.delete);
+        }
+
+        if (cipher.organizationId == null) {
+          return of(true);
+        }
+
        return this.collectionService
          .decryptedCollectionViews$(cipher.collectionIds as CollectionId[])
          .pipe(
@@ -93,7 +120,7 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
              const shouldFilter = allowedCollections?.some(Boolean);

              const collections = shouldFilter
-                ? allCollections.filter((c) => allowedCollections.includes(c.id as CollectionId))
+                ? allCollections.filter((c) => allowedCollections?.includes(c.id as CollectionId))
                : allCollections;

              return collections.some((collection) => collection.manage);
@@ -103,6 +130,29 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
    );
  }

+  /**
+   *
+   * {@link CipherAuthorizationService.canRestoreCipher$}
+   */
+  canRestoreCipher$(cipher: CipherLike, isAdminConsoleAction?: boolean): Observable<boolean> {
+    return this.organization$(cipher).pipe(
+      map((organization) => {
+        if (isAdminConsoleAction) {
+          // If the user is an admin, they can restore an unassigned cipher
+          if (!cipher.collectionIds || cipher.collectionIds.length === 0) {
+            return organization?.canEditUnassignedCiphers === true;
+          }
+
+          if (organization?.canEditAllCiphers) {
+            return true;
+          }
+        }
+
+        return cipher.permissions.restore;
+      }),
+    );
+  }
+
  /**
   * {@link CipherAuthorizationService.canCloneCipher$}
   */
@@ -116,6 +166,7 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
        // Admins and custom users can always clone when in the Admin Console
        if (
          isAdminConsoleAction &&
+          organization &&
          (organization.isAdmin || organization.permissions?.editAnyCollection)
        ) {
          return of(true);