Added permission check for organizational unsecure website (#13611)

Only display the cipher's name if the user running the report does not have permissions to view/edit the cipher

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>

apps/web/src/app/tools/reports/pages/organizations/unsecured-websites-report.component.ts

@@ -13,6 +13,7 @@ import { AccountService } from "@bitwarden/common/auth/abstractions/account.serv
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
+import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { DialogService } from "@bitwarden/components";
 import { CipherFormConfigService, PasswordRepromptService } from "@bitwarden/vault";
@@ -41,6 +42,9 @@ export class UnsecuredWebsitesReportComponent
   extends BaseUnsecuredWebsitesReportComponent
   implements OnInit
 {
+  // Contains a list of ciphers, the user running the report, can manage
+  private manageableCiphers: Cipher[];
+
   constructor(
     cipherService: CipherService,
     dialogService: DialogService,
@@ -80,6 +84,7 @@ export class UnsecuredWebsitesReportComponent
           .organizations$(userId)
           .pipe(getOrganizationById(params.organizationId)),
       );
+      this.manageableCiphers = await this.cipherService.getAll(userId);
       await super.ngOnInit();
     });
   }
@@ -87,4 +92,8 @@ export class UnsecuredWebsitesReportComponent
   getAllCiphers(): Promise<CipherView[]> {
     return this.cipherService.getAllFromApiForOrganization(this.organization.id);
   }
+
+  protected canManageCipher(c: CipherView): boolean {
+    return this.manageableCiphers.some((x) => x.id === c.id);
+  }
 }

apps/web/src/app/tools/reports/pages/unsecured-websites-report.component.html

@@ -47,15 +47,19 @@
               <app-vault-icon [cipher]="r"></app-vault-icon>
             </td>
             <td bitCell>
-              <a
-                bitLink
-                href="#"
-                appStopClick
-                (click)="selectCipher(r)"
-                title="{{ 'editItemWithName' | i18n: r.name }}"
-              >
-                {{ r.name }}
-              </a>
+              <ng-container *ngIf="!organization || canManageCipher(r); else cantManage">
+                <a
+                  bitLink
+                  href="#"
+                  appStopClick
+                  (click)="selectCipher(r)"
+                  title="{{ 'editItemWithName' | i18n: r.name }}"
+                  >{{ r.name }}</a
+                >
+              </ng-container>
+              <ng-template #cantManage>
+                <span>{{ r.name }}</span>
+              </ng-template>
               <ng-container *ngIf="!organization && r.organizationId">
                 <i
                   class="bwi bwi-collection"

apps/web/src/app/tools/reports/pages/unsecured-websites-report.component.ts

@@ -1,6 +1,6 @@
 import { Component, OnInit } from "@angular/core";
 
-import { CollectionService, Collection } from "@bitwarden/admin-console/common";
+import { CollectionService } from "@bitwarden/admin-console/common";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -53,17 +53,10 @@ export class UnsecuredWebsitesReportComponent extends CipherReportComponent impl
 
   async setCiphers() {
     const allCiphers = await this.getAllCiphers();
-    const allCollections = await this.collectionService.getAll();
     this.filterStatus = [0];
 
     const unsecuredCiphers = allCiphers.filter((c) => {
-      const containsUnsecured = this.cipherContainsUnsecured(c);
-      if (containsUnsecured === false) {
-        return false;
-      }
-
-      const canView = this.canView(c, allCollections);
-      return canView;
+      return this.cipherContainsUnsecured(c);
     });
 
     this.filterCiphersByOrg(unsecuredCiphers);
@@ -74,7 +67,12 @@ export class UnsecuredWebsitesReportComponent extends CipherReportComponent impl
    * @param cipher Current cipher with unsecured uri
    */
   private cipherContainsUnsecured(cipher: CipherView): boolean {
-    if (cipher.type !== CipherType.Login || !cipher.login.hasUris || cipher.isDeleted) {
+    if (
+      cipher.type !== CipherType.Login ||
+      !cipher.login.hasUris ||
+      cipher.isDeleted ||
+      (!this.organization && !cipher.edit)
+    ) {
       return false;
     }
 
@@ -85,19 +83,13 @@ export class UnsecuredWebsitesReportComponent extends CipherReportComponent impl
   }
 
   /**
-   * If the user does not have readonly set or it's false they have the ability to edit
-   * @param cipher Current cipher with unsecured uri
-   * @param allCollections The collections for the user
+   * Provides a way to determine if someone with permissions to run an organizational report is also able to view/edit ciphers within the results
+   * Default to true for indivduals running reports on their own vault.
+   * @param c CipherView
+   * @returns boolean
    */
-  private canView(cipher: CipherView, allCollections: Collection[]): boolean {
-    if (!cipher.organizationId) {
-      return true;
-    }
-
-    return (
-      allCollections.filter(
-        (item) => cipher.collectionIds.indexOf(item.id) > -1 && !(item.readOnly ?? false),
-      ).length > 0
-    );
+  protected canManageCipher(c: CipherView): boolean {
+    // this will only ever be false from the org view;
+    return true;
   }
 }