[PM-13892] Browser Refresh - Organization item clone permission fix (#11660)

* [PM-13892] Introduce canClone$ method on CipherAuthorizationService * [PM-13892] Use new canClone$ method for the 3dot menu in browser extension * [PM-13892] Add todo for vault-items.component.ts
2025-12-14 15:23:33 +00:00 · 2024-10-24 14:12:04 -07:00
parent 81d7f319f6
commit a0fe4f4ca6
5 changed files with 120 additions and 4 deletions
--- a/libs/common/src/vault/services/cipher-authorization.service.ts
+++ b/libs/common/src/vault/services/cipher-authorization.service.ts
@@ -1,4 +1,4 @@
-import { map, Observable, of, switchMap } from "rxjs";
+import { map, Observable, of, shareReplay, switchMap } from "rxjs";

 import { CollectionService } from "@bitwarden/admin-console/common";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
@@ -30,6 +30,16 @@ export abstract class CipherAuthorizationService {
    allowedCollections?: CollectionId[],
    isAdminConsoleAction?: boolean,
  ) => Observable<boolean>;
+
+  /**
+   * Determines if the user can clone the specified cipher.
+   *
+   * @param {CipherLike} cipher - The cipher object to evaluate for cloning permissions.
+   * @param {boolean} isAdminConsoleAction - Optional. A flag indicating if the action is being performed from the admin console.
+   *
+   * @returns {Observable<boolean>} - An observable that emits a boolean value indicating if the user can clone the cipher.
+   */
+  canCloneCipher$: (cipher: CipherLike, isAdminConsoleAction?: boolean) => Observable<boolean>;
 }

 /**
@@ -83,4 +93,30 @@ export class DefaultCipherAuthorizationService implements CipherAuthorizationSer
      }),
    );
  }
+
+  /**
+   * {@link CipherAuthorizationService.canCloneCipher$}
+   */
+  canCloneCipher$(cipher: CipherLike, isAdminConsoleAction?: boolean): Observable<boolean> {
+    if (cipher.organizationId == null) {
+      return of(true);
+    }
+
+    return this.organizationService.get$(cipher.organizationId).pipe(
+      switchMap((organization) => {
+        // Admins and custom users can always clone when in the Admin Console
+        if (
+          isAdminConsoleAction &&
+          (organization.isAdmin || organization.permissions?.editAnyCollection)
+        ) {
+          return of(true);
+        }
+
+        return this.collectionService
+          .decryptedCollectionViews$(cipher.collectionIds as CollectionId[])
+          .pipe(map((allCollections) => allCollections.some((collection) => collection.manage)));
+      }),
+      shareReplay({ bufferSize: 1, refCount: false }),
+    );
+  }
 }