[PM-3273][PM-4679] New owner/admin permission on login (#2837)

* [PM-3273] Add property for password set. Add labels. Update sync service. * [PM-3273] Set password needs set in state. Read value on sync and nav to page. * [PM-3273] Add navigation to Set Password on vault landing if needed. * [PM-3273] Update SetPasswordPage copy * [PM-3273] Add ManageResetPassword to Org Permissions, handle it on sync. * [PM-3273] Change user has master password state when set master password is complete. * [PM-3273] Code clean up * [PM-3273] Remove unnecessary property from account profile * [PM-3273] Add check for remembered org identifier * [PM-4679] Added logging calls for future checks. --------- Co-authored-by: Federico Maccaroni <fedemkr@gmail.com>
2025-12-24 04:04:34 +00:00 · 2023-11-09 17:21:00 +00:00
parent 3a13ba4efa
commit 793c5fef6f
42 changed files with 203544 additions and 33 deletions
--- a/src/Core/Services/StateService.cs
+++ b/src/Core/Services/StateService.cs
@@ -1363,6 +1363,15 @@ namespace Bit.Core.Services
            _storageMediatorService.Save(Constants.ConfigsKey, value);
        }

+        public async Task SetUserHasMasterPasswordAsync(bool value, string userId = null)
+        {
+            var reconciledOptions = ReconcileOptions(new StorageOptions { UserId = userId },
+                await GetDefaultStorageOptionsAsync());
+            var account = await GetAccountAsync(reconciledOptions);
+            account.Profile.UserDecryptionOptions.HasMasterPassword = value;
+            await SaveAccountAsync(account, reconciledOptions);
+        }
+
        public async Task<Region?> GetActiveUserRegionAsync()
        {
            return await GetActiveUserCustomDataAsync(a => a?.Settings?.Region);
--- a/src/Core/Services/SyncService.cs
+++ b/src/Core/Services/SyncService.cs
@@ -5,6 +5,7 @@ using System.Threading.Tasks;
 using Bit.Core.Abstractions;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Domain;
 using Bit.Core.Models.Response;
 using Bit.Core.Utilities;

@@ -398,6 +399,33 @@ namespace Bit.Core.Services
            await _stateService.SetPersonalPremiumAsync(response.Premium);
            await _stateService.SetAvatarColorAsync(response.AvatarColor);
            await _keyConnectorService.SetUsesKeyConnectorAsync(response.UsesKeyConnector);
+            await SetPasswordSetReasonIfNeededAsync(response);
+        }
+
+        private async Task SetPasswordSetReasonIfNeededAsync(ProfileResponse response)
+        {
+            // The `ForcePasswordReset` flag indicates an admin has reset the user's password and must be updated
+            if (response.ForcePasswordReset)
+            {
+                await _stateService.SetForcePasswordResetReasonAsync(ForcePasswordResetReason.AdminForcePasswordReset);
+            }
+
+            var hasManageResetPasswordPermission = response.Organizations.Any(org =>
+                org.Type == Enums.OrganizationUserType.Owner ||
+                org.Type == Enums.OrganizationUserType.Admin ||
+                org.Permissions?.ManageResetPassword == true);
+            if (!hasManageResetPasswordPermission)
+            {
+                return;
+            }
+
+            var decryptionOptions = await _stateService.GetAccountDecryptionOptions();
+            if (decryptionOptions?.HasMasterPassword == false)
+            {
+                // TDE user w/out MP went from having no password reset permission to having it.
+                // Must set the force password reset reason so the auth guard will redirect to the set password page.
+                await _stateService.SetForcePasswordResetReasonAsync(ForcePasswordResetReason.TdeUserWithoutPasswordHasPasswordResetPermission);
+            }
        }

        private async Task SyncFoldersAsync(string userId, List<FolderResponse> response)