From e56a3386a25b9a0005479ae3b8eac4757de4b221 Mon Sep 17 00:00:00 2001 From: Shane Melton Date: Thu, 13 Jun 2024 07:21:14 -0700 Subject: [PATCH] [AC-2763] Allow providers who are also members access to items (#9585) * [AC-2763] Do not restrict providers if they are also a member of the organization * [AC-2763] Reduce branching complexity * [AC-2763] Remove explicit restrict provider access checks in Vault We can safely fall back organization helpers for cipher access as it already accounts for provider users who are members. --- .../app/vault/org-vault/vault.component.ts | 12 ----------- .../models/domain/organization.ts | 21 ++++++++++++++----- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/apps/web/src/app/vault/org-vault/vault.component.ts b/apps/web/src/app/vault/org-vault/vault.component.ts index c0322e82df..b43ece5d7c 100644 --- a/apps/web/src/app/vault/org-vault/vault.component.ts +++ b/apps/web/src/app/vault/org-vault/vault.component.ts @@ -311,10 +311,6 @@ export class VaultComponent implements OnInit, OnDestroy { this.editableCollections$ = this.allCollectionsWithoutUnassigned$.pipe( map((collections) => { - // If restricted, providers can not add items to any collections or edit those items - if (this.organization.isProviderUser && this.restrictProviderAccessEnabled) { - return []; - } // Users that can edit all ciphers can implicitly add to / edit within any collection if ( this.organization.canEditAllCiphers( @@ -356,10 +352,6 @@ export class VaultComponent implements OnInit, OnDestroy { } let ciphers; - if (organization.isProviderUser && this.restrictProviderAccessEnabled) { - return []; - } - if (this.flexibleCollectionsV1Enabled) { // Flexible collections V1 logic. // If the user can edit all ciphers for the organization then fetch them ALL. @@ -488,10 +480,6 @@ export class VaultComponent implements OnInit, OnDestroy { organization$, ]).pipe( map(([filter, collection, organization]) => { - if (organization.isProviderUser && this.restrictProviderAccessEnabled) { - return collection != undefined || filter.collectionId === Unassigned; - } - return ( (filter.collectionId === Unassigned && !organization.canEditUnassignedCiphers(this.restrictProviderAccessEnabled)) || diff --git a/libs/common/src/admin-console/models/domain/organization.ts b/libs/common/src/admin-console/models/domain/organization.ts index 2632a16da0..f18167f733 100644 --- a/libs/common/src/admin-console/models/domain/organization.ts +++ b/libs/common/src/admin-console/models/domain/organization.ts @@ -195,10 +195,18 @@ export class Organization { } canEditUnassignedCiphers(restrictProviderAccessFlagEnabled: boolean) { - if (this.isProviderUser) { - return !restrictProviderAccessFlagEnabled; + // Providers can access items until the restrictProviderAccess flag is enabled + // After the flag is enabled and removed, this block will be deleted + // so that they permanently lose access to items + if (this.isProviderUser && !restrictProviderAccessFlagEnabled) { + return true; } - return this.isAdmin || this.permissions.editAnyCollection; + + return ( + this.type === OrganizationUserType.Admin || + this.type === OrganizationUserType.Owner || + this.permissions.editAnyCollection + ); } canEditAllCiphers( @@ -210,8 +218,11 @@ export class Organization { return this.isAdmin || this.permissions.editAnyCollection; } - if (this.isProviderUser) { - return !restrictProviderAccessFlagEnabled; + // Providers can access items until the restrictProviderAccess flag is enabled + // After the flag is enabled and removed, this block will be deleted + // so that they permanently lose access to items + if (this.isProviderUser && !restrictProviderAccessFlagEnabled) { + return true; } // Post Flexible Collections V1, the allowAdminAccessToAllCollectionItems flag can restrict admins