[PM-22377] - [Vault] [Clients] Update cipher form component to restrict editing old My Vault items (#15687)

* disable cipher form for "My Items" ciphers * use correct property * prevent changing non org fields in cli for org owned vaults * update var name * fix tests * fix stories * revert changes to item details section. update comment in edit command * remove unused props * fix test * re-apply logic to enforce org ownership * re-apply logic to enforce org ownership * fix logic and test * add empty line to comment * remove unused var * delegate form enabling/disabling to cipherFormContainer * rename var and getter back to original. update comment
2025-12-06 00:13:28 +00:00 · 2025-07-24 10:59:29 -07:00
parent cd33ea0747
commit 7b85870e58
8 changed files with 81 additions and 19 deletions
--- a/apps/cli/src/commands/edit.command.ts
+++ b/apps/cli/src/commands/edit.command.ts
@@ -4,6 +4,8 @@ import { firstValueFrom } from "rxjs";

 import { CollectionRequest } from "@bitwarden/admin-console/common";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
+import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { SelectionReadOnlyRequest } from "@bitwarden/common/admin-console/models/request/selection-read-only.request";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
@@ -36,6 +38,7 @@ export class EditCommand {
    private folderApiService: FolderApiServiceAbstraction,
    private accountService: AccountService,
    private cliRestrictedItemTypesService: CliRestrictedItemTypesService,
+    private policyService: PolicyService,
  ) {}

  async run(
@@ -104,6 +107,18 @@ export class EditCommand {
      return Response.error("Editing this item type is restricted by organizational policy.");
    }

+    const isPersonalVaultItem = cipherView.organizationId == null;
+
+    const organizationOwnershipPolicyApplies = await firstValueFrom(
+      this.policyService.policyAppliesToUser$(PolicyType.OrganizationDataOwnership, activeUserId),
+    );
+
+    if (isPersonalVaultItem && organizationOwnershipPolicyApplies) {
+      return Response.error(
+        "An organization policy restricts editing this cipher. Please use the share command first before modifying it.",
+      );
+    }
+
    const encCipher = await this.cipherService.encrypt(cipherView, activeUserId);
    try {
      const updatedCipher = await this.cipherService.updateWithServer(encCipher);
--- a/apps/cli/src/oss-serve-configurator.ts
+++ b/apps/cli/src/oss-serve-configurator.ts
@@ -103,6 +103,7 @@ export class OssServeConfigurator {
      this.serviceContainer.folderApiService,
      this.serviceContainer.accountService,
      this.serviceContainer.cliRestrictedItemTypesService,
+      this.serviceContainer.policyService,
    );
    this.generateCommand = new GenerateCommand(
      this.serviceContainer.passwordGenerationService,
--- a/apps/cli/src/vault.program.ts
+++ b/apps/cli/src/vault.program.ts
@@ -285,6 +285,7 @@ export class VaultProgram extends BaseProgram {
          this.serviceContainer.folderApiService,
          this.serviceContainer.accountService,
          this.serviceContainer.cliRestrictedItemTypesService,
+          this.serviceContainer.policyService,
        );
        const response = await command.run(object, id, encodedJson, cmd);
        this.processResponse(response);