[AC-1124] Restrict admins from accessing items in the Collections tab (#7537)

* [AC-1124] Add getManyFromApiForOrganization to cipher.service.ts * [AC-1124] Use getManyFromApiForOrganization when a user does not have access to all ciphers * [AC-1124] Vault changes - Show new collection access restricted view - Include unassigned ciphers for restricted admins - Restrict collections when creating/cloning/editing ciphers * [AC-1124] Update edit cipher on page navigation to check if user can access the cipher * [AC-1124] Hide ciphers from restricted collections * [AC-1124] Ensure providers are not shown collection access restricted view * [AC-1124] Modify add-edit component to call the correct endpoint when a restricted admin attempts to add-edit a cipher * [AC-1124] Fix bug after merge with main * [AC-1124] Use private this._organization * [AC-1124] Fix broken builds
2025-12-17 16:53:34 +00:00 · 2024-02-08 14:07:42 -08:00
parent 3ee27fc61f
commit 5c6245aaae
14 changed files with 284 additions and 76 deletions
--- a/libs/common/src/admin-console/models/domain/organization.ts
+++ b/libs/common/src/admin-console/models/domain/organization.ts
@@ -196,6 +196,20 @@ export class Organization {
    return this.canEditAnyCollection;
  }

+  canEditAllCiphers(flexibleCollectionsV1Enabled: boolean) {
+    // Before Flexible Collections, anyone with editAnyCollection permission could edit all ciphers
+    if (!flexibleCollectionsV1Enabled) {
+      return this.canEditAnyCollection;
+    }
+    // Post Flexible Collections V1, the allowAdminAccessToAllCollectionItems flag can restrict admins
+    // Providers are not affected by allowAdminAccessToAllCollectionItems flag
+    // note: canEditAnyCollection may change in the V1 to also ignore the allowAdminAccessToAllCollectionItems flag
+    return (
+      this.isProviderUser ||
+      (this.allowAdminAccessToAllCollectionItems && this.canEditAnyCollection)
+    );
+  }
+
  get canDeleteAnyCollection() {
    return this.isAdmin || this.permissions.deleteAnyCollection;
  }
--- a/libs/common/src/vault/abstractions/cipher.service.ts
+++ b/libs/common/src/vault/abstractions/cipher.service.ts
@@ -27,6 +27,11 @@ export abstract class CipherService {
    defaultMatch?: UriMatchType,
  ) => Promise<CipherView[]>;
  getAllFromApiForOrganization: (organizationId: string) => Promise<CipherView[]>;
+  /**
+   * Gets ciphers belonging to the specified organization that the user has explicit collection level access to.
+   * Ciphers that are not assigned to any collections are only included for users with admin access.
+   */
+  getManyFromApiForOrganization: (organizationId: string) => Promise<CipherView[]>;
  getLastUsedForUrl: (url: string, autofillOnPageLoad: boolean) => Promise<CipherView>;
  getLastLaunchedForUrl: (url: string, autofillOnPageLoad: boolean) => Promise<CipherView>;
  getNextCipherForUrl: (url: string) => Promise<CipherView>;
--- a/libs/common/src/vault/services/cipher.service.ts
+++ b/libs/common/src/vault/services/cipher.service.ts
@@ -5,6 +5,7 @@ import { ApiService } from "../../abstractions/api.service";
 import { SearchService } from "../../abstractions/search.service";
 import { SettingsService } from "../../abstractions/settings.service";
 import { ErrorResponse } from "../../models/response/error.response";
+import { ListResponse } from "../../models/response/list.response";
 import { View } from "../../models/view/view";
 import { ConfigServiceAbstraction } from "../../platform/abstractions/config/config.service.abstraction";
 import { CryptoService } from "../../platform/abstractions/crypto.service";
@@ -387,6 +388,24 @@ export class CipherService implements CipherServiceAbstraction {

  async getAllFromApiForOrganization(organizationId: string): Promise<CipherView[]> {
    const response = await this.apiService.getCiphersOrganization(organizationId);
+    return await this.decryptOrganizationCiphersResponse(response, organizationId);
+  }
+
+  async getManyFromApiForOrganization(organizationId: string): Promise<CipherView[]> {
+    const response = await this.apiService.send(
+      "GET",
+      "/ciphers/organization-details/assigned?organizationId=" + organizationId,
+      null,
+      true,
+      true,
+    );
+    return this.decryptOrganizationCiphersResponse(response, organizationId);
+  }
+
+  private async decryptOrganizationCiphersResponse(
+    response: ListResponse<CipherResponse>,
+    organizationId: string,
+  ): Promise<CipherView[]> {
    if (response?.data == null || response.data.length < 1) {
      return [];
    }