account for special admin console collection permissions

2025-12-15 15:53:27 +00:00 · 2024-10-04 09:21:16 -05:00
parent 100621a09c
commit e4b3f28165
2 changed files with 11 additions and 29 deletions
--- a/apps/web/src/app/vault/org-vault/services/admin-console-cipher-form-config.service.spec.ts
+++ b/apps/web/src/app/vault/org-vault/services/admin-console-cipher-form-config.service.spec.ts
@@ -8,7 +8,6 @@ import { PolicyService } from "@bitwarden/common/admin-console/abstractions/poli
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { CipherId } from "@bitwarden/common/types/guid";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
-import { CollectionService } from "@bitwarden/common/vault/abstractions/collection.service";

 import { RoutedVaultFilterService } from "../../individual-vault/vault-filter/services/routed-vault-filter.service";

@@ -37,7 +36,6 @@ describe("AdminConsoleCipherFormConfigService", () => {
        },
        { provide: OrganizationService, useValue: { get$: () => organization$ } },
        { provide: CipherService, useValue: { get: getCipher } },
-        { provide: CollectionService, useValue: { getAllDecrypted: () => Promise.resolve([]) } },
        { provide: CollectionAdminService, useValue: { getAll: () => Promise.resolve([]) } },
        {
          provide: RoutedVaultFilterService,
--- a/apps/web/src/app/vault/org-vault/services/admin-console-cipher-form-config.service.ts
+++ b/apps/web/src/app/vault/org-vault/services/admin-console-cipher-form-config.service.ts
@@ -1,5 +1,5 @@
 import { inject, Injectable } from "@angular/core";
-import { combineLatest, defer, filter, firstValueFrom, map, switchMap } from "rxjs";
+import { combineLatest, filter, firstValueFrom, map, switchMap } from "rxjs";

 import { CollectionAdminService } from "@bitwarden/admin-console/common";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
@@ -9,7 +9,6 @@ import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { CipherId } from "@bitwarden/common/types/guid";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
-import { CollectionService } from "@bitwarden/common/vault/abstractions/collection.service";
 import { CipherType } from "@bitwarden/common/vault/enums";
 import { CipherData } from "@bitwarden/common/vault/models/data/cipher.data";
 import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
@@ -27,7 +26,6 @@ export class AdminConsoleCipherFormConfigService implements CipherFormConfigServ
  private policyService: PolicyService = inject(PolicyService);
  private organizationService: OrganizationService = inject(OrganizationService);
  private cipherService: CipherService = inject(CipherService);
-  private collectionService: CollectionService = inject(CollectionService);
  private routedVaultFilterService: RoutedVaultFilterService = inject(RoutedVaultFilterService);
  private collectionAdminService: CollectionAdminService = inject(CollectionAdminService);
  private apiService: ApiService = inject(ApiService);
@@ -45,25 +43,15 @@ export class AdminConsoleCipherFormConfigService implements CipherFormConfigServ
    switchMap((organizationId) => this.organizationService.get$(organizationId)),
  );

-  private allCollectionsWithoutUnassigned$ = combineLatest([
-    this.organizationId$.pipe(switchMap((orgId) => this.collectionAdminService.getAll(orgId))),
-    defer(() => this.collectionService.getAllDecrypted()),
-  ]).pipe(
-    map(([adminCollections, syncCollections]) => {
-      const syncCollectionDict = Object.fromEntries(syncCollections.map((c) => [c.id, c]));
-
-      return adminCollections.map((collection) => {
-        const currentId: any = collection.id;
-
-        const match = syncCollectionDict[currentId];
-
-        if (match) {
-          collection.manage = match.manage;
-          collection.readOnly = match.readOnly;
-          collection.hidePasswords = match.hidePasswords;
-        }
-        return collection;
-      });
+  private editableCollections$ = this.organization$.pipe(
+    switchMap(async (org) => {
+      const collections = await this.collectionAdminService.getAll(org.id);
+      // Users that can edit all ciphers can implicitly add to / edit within any collection
+      if (org.canEditAllCiphers) {
+        return collections;
+      }
+      // The user is only allowed to add/edit items to assigned collections that are not readonly
+      return collections.filter((c) => c.assigned && !c.readOnly);
    }),
  );

@@ -73,11 +61,7 @@ export class AdminConsoleCipherFormConfigService implements CipherFormConfigServ
    cipherType?: CipherType,
  ): Promise<CipherFormConfig> {
    const [organization, allowPersonalOwnership, allCollections] = await firstValueFrom(
-      combineLatest([
-        this.organization$,
-        this.allowPersonalOwnership$,
-        this.allCollectionsWithoutUnassigned$,
-      ]),
+      combineLatest([this.organization$, this.allowPersonalOwnership$, this.editableCollections$]),
    );

    const cipher = await this.getCipher(organization, cipherId);