[PM-11360] Remove export permission for providers (#12062)

* Split organization.canAccessImportExport * Fix import permission to include CanCreateNewCollections * Remove provider export permission (feature flagged)
2025-12-15 15:53:27 +00:00 · 2024-11-22 07:58:03 +10:00
parent 9f99454b37
commit 9e9f977eb3
12 changed files with 142 additions and 97 deletions
--- a/libs/common/src/admin-console/abstractions/organization/organization.service.abstraction.ts
+++ b/libs/common/src/admin-console/abstractions/organization/organization.service.abstraction.ts
@@ -1,7 +1,5 @@
 import { map, Observable } from "rxjs";

-import { I18nService } from "../../../platform/abstractions/i18n.service";
-import { Utils } from "../../../platform/misc/utils";
 import { UserId } from "../../../types/guid";
 import { OrganizationData } from "../../models/data/organization.data";
 import { Organization } from "../../models/domain/organization";
@@ -16,7 +14,8 @@ export function canAccessSettingsTab(org: Organization): boolean {
    org.canManagePolicies ||
    org.canManageSso ||
    org.canManageScim ||
-    org.canAccessImportExport ||
+    org.canAccessImport ||
+    org.canAccessExport(false) || // Feature flag value doesn't matter here, providers will have access to this group anyway
    org.canManageDeviceApprovals
  );
 }
@@ -56,32 +55,6 @@ export function getOrganizationById(id: string) {
  return map<Organization[], Organization | undefined>((orgs) => orgs.find((o) => o.id === id));
 }

-export function canAccessAdmin(i18nService: I18nService) {
-  return map<Organization[], Organization[]>((orgs) =>
-    orgs.filter(canAccessOrgAdmin).sort(Utils.getSortFunction(i18nService, "name")),
-  );
-}
-
-/**
- * @deprecated
- * To be removed after Flexible Collections.
- **/
-export function canAccessImportExport(i18nService: I18nService) {
-  return map<Organization[], Organization[]>((orgs) =>
-    orgs
-      .filter((org) => org.canAccessImportExport)
-      .sort(Utils.getSortFunction(i18nService, "name")),
-  );
-}
-
-export function canAccessImport(i18nService: I18nService) {
-  return map<Organization[], Organization[]>((orgs) =>
-    orgs
-      .filter((org) => org.canAccessImportExport || org.canCreateNewCollections)
-      .sort(Utils.getSortFunction(i18nService, "name")),
-  );
-}
-
 /**
 * Returns `true` if a user is a member of an organization (rather than only being a ProviderUser)
 * @deprecated Use organizationService.organizations$ with a filter instead
--- a/libs/common/src/admin-console/abstractions/organization/vnext.organization.service.ts
+++ b/libs/common/src/admin-console/abstractions/organization/vnext.organization.service.ts
@@ -1,7 +1,5 @@
 import { map, Observable } from "rxjs";

-import { I18nService } from "../../../platform/abstractions/i18n.service";
-import { Utils } from "../../../platform/misc/utils";
 import { UserId } from "../../../types/guid";
 import { OrganizationData } from "../../models/data/organization.data";
 import { Organization } from "../../models/domain/organization";
@@ -16,7 +14,8 @@ export function canAccessSettingsTab(org: Organization): boolean {
    org.canManagePolicies ||
    org.canManageSso ||
    org.canManageScim ||
-    org.canAccessImportExport ||
+    org.canAccessImport ||
+    org.canAccessExport(false) || // Feature flag value doesn't matter here, providers will have access to this group anyway
    org.canManageDeviceApprovals
  );
 }
@@ -56,20 +55,6 @@ export function getOrganizationById(id: string) {
  return map<Organization[], Organization | undefined>((orgs) => orgs.find((o) => o.id === id));
 }

-export function canAccessAdmin(i18nService: I18nService) {
-  return map<Organization[], Organization[]>((orgs) =>
-    orgs.filter(canAccessOrgAdmin).sort(Utils.getSortFunction(i18nService, "name")),
-  );
-}
-
-export function canAccessImport(i18nService: I18nService) {
-  return map<Organization[], Organization[]>((orgs) =>
-    orgs
-      .filter((org) => org.canAccessImportExport || org.canCreateNewCollections)
-      .sort(Utils.getSortFunction(i18nService, "name")),
-  );
-}
-
 /**
 * Publishes an observable stream of organizations. This service is meant to
 * be used widely across Bitwarden as the primary way of fetching organizations.
--- a/libs/common/src/admin-console/models/domain/organization.ts
+++ b/libs/common/src/admin-console/models/domain/organization.ts
@@ -168,8 +168,27 @@ export class Organization {
    return (this.isAdmin || this.permissions.accessEventLogs) && this.useEvents;
  }

-  get canAccessImportExport() {
-    return this.isAdmin || this.permissions.accessImportExport;
+  get canAccessImport() {
+    return (
+      this.isProviderUser ||
+      this.type === OrganizationUserType.Owner ||
+      this.type === OrganizationUserType.Admin ||
+      this.permissions.accessImportExport ||
+      this.canCreateNewCollections // To allow users to create collections and then import into them
+    );
+  }
+
+  canAccessExport(removeProviderExport: boolean) {
+    if (!removeProviderExport && this.isProviderUser) {
+      return true;
+    }
+
+    return (
+      this.isMember &&
+      (this.type === OrganizationUserType.Owner ||
+        this.type === OrganizationUserType.Admin ||
+        this.permissions.accessImportExport)
+    );
  }

  get canAccessReports() {