[PM-11203] Hide collection/item checkboxes in Admin Console (#10970)

* [PM-11203] Hide collection/item checkboxes in AC when a user does not have manage/edit permissions for the collection/item

* [PM-11203] Remove restrict-provider-access flag

* [PM-11203] Adjust the editableItems array to use existing canEdit and canDelete helpers to determine eligibility

apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html

@@ -1,5 +1,6 @@
 <td bitCell [ngClass]="RowHeightClass" class="tw-min-w-fit">
   <input
+    *ngIf="showCheckbox"
     type="checkbox"
     bitCheckbox
     appStopProp

apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts

@@ -42,6 +42,7 @@ export class VaultCipherRowComponent implements OnInit {
   @Output() checkedToggled = new EventEmitter<void>();
 
   protected CipherType = CipherType;
+  protected organization?: Organization;
 
   constructor(private configService: ConfigService) {}
 
@@ -53,6 +54,9 @@ export class VaultCipherRowComponent implements OnInit {
     this.extensionRefreshEnabled = await firstValueFrom(
       this.configService.getFeatureFlag$(FeatureFlag.ExtensionRefresh),
     );
+    if (this.cipher.organizationId != null) {
+      this.organization = this.organizations.find((o) => o.id === this.cipher.organizationId);
+    }
   }
 
   protected get showTotpCopyButton() {
@@ -138,4 +142,12 @@ export class VaultCipherRowComponent implements OnInit {
   protected assignToCollections() {
     this.onEvent.emit({ type: "assignToCollections", items: [this.cipher] });
   }
+
+  protected get showCheckbox() {
+    if (!this.viewingOrgVault || !this.organization) {
+      return true; // Always show checkbox in individual vault or for non-org items
+    }
+
+    return this.organization.canEditAllCiphers || this.cipher.edit;
+  }
 }

apps/web/src/app/vault/components/vault-items/vault-collection-row.component.ts

@@ -103,6 +103,10 @@ export class VaultCollectionRowComponent {
   }
 
   protected get showCheckbox() {
-    return this.collection?.id !== Unassigned;
+    if (this.collection?.id === Unassigned) {
+      return false; // Never show checkbox for Unassigned
+    }
+
+    return this.canEditCollection || this.canDeleteCollection;
   }
 }

apps/web/src/app/vault/components/vault-items/vault-items.component.ts

@@ -1,7 +1,7 @@
 import { SelectionModel } from "@angular/cdk/collections";
 import { Component, EventEmitter, Input, Output } from "@angular/core";
 
-import { Unassigned, CollectionView } from "@bitwarden/admin-console/common";
+import { CollectionView, Unassigned } from "@bitwarden/admin-console/common";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { TableDataSource } from "@bitwarden/components";
@@ -205,11 +205,12 @@ export class VaultItemsComponent {
 
     this.selection.clear();
 
-    // Every item except for the Unassigned collection is selectable, individual bulk actions check the user's permission
+    // All ciphers are selectable, collections only if they can be edited or deleted
     this.editableItems = items.filter(
       (item) =>
         item.cipher !== undefined ||
-        (item.collection !== undefined && item.collection.id !== Unassigned),
+        (item.collection !== undefined &&
+          (this.canEditCollection(item.collection) || this.canDeleteCollection(item.collection))),
     );
 
     this.dataSource.data = items;