mange policies custom permission edge case, copy update (#17083)

2025-12-06 00:13:28 +00:00 · 2025-11-03 09:53:28 -05:00
parent 63c14af4f8
commit 8e1a6a3c80
4 changed files with 39 additions and 16 deletions
--- a/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.html
+++ b/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.html
@@ -63,7 +63,9 @@
    bitFormButton
    type="submit"
  >
-    @if (autoConfirmEnabled$ | async) {
+    @let autoConfirmEnabled = autoConfirmEnabled$ | async;
+    @let managePoliciesOnly = managePolicies$ | async;
+    @if (autoConfirmEnabled || managePoliciesOnly) {
      {{ "save" | i18n }}
    } @else {
      {{ "continue" | i18n }}
--- a/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.ts
@@ -22,6 +22,7 @@ import {
  tap,
 } from "rxjs";

+import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
@@ -30,6 +31,7 @@ import { AccountService } from "@bitwarden/common/auth/abstractions/account.serv
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { getById } from "@bitwarden/common/platform/misc";
 import {
  DIALOG_DATA,
  DialogConfig,
@@ -83,6 +85,12 @@ export class AutoConfirmPolicyDialogComponent
    switchMap((userId) => this.policyService.policies$(userId)),
    map((policies) => policies.find((p) => p.type === PolicyType.AutoConfirm)?.enabled ?? false),
  );
+  protected managePolicies$: Observable<boolean> = this.accountService.activeAccount$.pipe(
+    getUserId,
+    switchMap((userId) => this.organizationService.organizations$(userId)),
+    getById(this.data.organizationId),
+    map((organization) => (!organization?.isAdmin && organization?.canManagePolicies) ?? false),
+  );

  private readonly submitPolicy: Signal<TemplateRef<unknown> | undefined> = viewChild("step0");
  private readonly openExtension: Signal<TemplateRef<unknown> | undefined> = viewChild("step1");
@@ -105,6 +113,7 @@ export class AutoConfirmPolicyDialogComponent
    toastService: ToastService,
    configService: ConfigService,
    keyService: KeyService,
+    private organizationService: OrganizationService,
    private policyService: PolicyService,
    private router: Router,
  ) {
@@ -146,22 +155,34 @@ export class AutoConfirmPolicyDialogComponent
      tap((singleOrgPolicyEnabled) =>
        this.policyComponent?.setSingleOrgEnabled(singleOrgPolicyEnabled),
      ),
-      map((singleOrgPolicyEnabled) => [
-        {
-          sideEffect: () => this.handleSubmit(singleOrgPolicyEnabled ?? false),
-          footerContent: this.submitPolicy,
-          titleContent: this.submitPolicyTitle,
-        },
-        {
-          sideEffect: () => this.openBrowserExtension(),
-          footerContent: this.openExtension,
-          titleContent: this.openExtensionTitle,
-        },
-      ]),
+      switchMap((singleOrgPolicyEnabled) => this.buildMultiStepSubmit(singleOrgPolicyEnabled)),
      shareReplay({ bufferSize: 1, refCount: true }),
    );
  }

+  private buildMultiStepSubmit(singleOrgPolicyEnabled: boolean): Observable<MultiStepSubmit[]> {
+    return this.managePolicies$.pipe(
+      map((managePoliciesOnly) => {
+        const submitSteps = [
+          {
+            sideEffect: () => this.handleSubmit(singleOrgPolicyEnabled ?? false),
+            footerContent: this.submitPolicy,
+            titleContent: this.submitPolicyTitle,
+          },
+        ];
+
+        if (!managePoliciesOnly) {
+          submitSteps.push({
+            sideEffect: () => this.openBrowserExtension(),
+            footerContent: this.openExtension,
+            titleContent: this.openExtensionTitle,
+          });
+        }
+        return submitSteps;
+      }),
+    );
+  }
+
  private async handleSubmit(singleOrgEnabled: boolean) {
    if (!singleOrgEnabled) {
      await this.submitSingleOrg();
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.html
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.html
@@ -27,7 +27,7 @@
          {{ "autoConfirmSingleOrgRequired" | i18n }}
        </span>
      }
-      {{ "autoConfirmSingleOrgRequiredDescription" | i18n }}
+      {{ "autoConfirmSingleOrgRequiredDesc" | i18n }}
    </li>

    <li>
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -5814,8 +5814,8 @@
  "autoConfirmSingleOrgRequired": {
    "message": "Single organization policy required. "
  },
-  "autoConfirmSingleOrgRequiredDescription": {
-    "message": "Anyone part of more than one organization will have their access revoked until they leave the other organizations."
+  "autoConfirmSingleOrgRequiredDesc": {
+    "message": "All members must only belong to this organization to activate this automation."
  },
  "autoConfirmSingleOrgExemption": {
    "message": "Single organization policy will extend to all roles. "