From a884fcf66460d466b2601cc3ed2b3f1f633846d7 Mon Sep 17 00:00:00 2001
From: Shane Melton <smelton@bitwarden.com>
Date: Mon, 14 Oct 2024 10:02:32 -0700
Subject: [PATCH] [PM-11203] Hide collection/item checkboxes in Admin Console
 (#10970)

* [PM-11203] Hide collection/item checkboxes in AC when a user does not have manage/edit permissions for the collection/item

* [PM-11203] Remove restrict-provider-access flag

* [PM-11203] Adjust the editableItems array to use existing canEdit and canDelete helpers to determine eligibility
---
 .../vault-items/vault-cipher-row.component.html      |  1 +
 .../vault-items/vault-cipher-row.component.ts        | 12 ++++++++++++
 .../vault-items/vault-collection-row.component.ts    |  6 +++++-
 .../components/vault-items/vault-items.component.ts  |  7 ++++---
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html b/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html
index 4302edcb4e..2f38d7c70d 100644
--- a/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html
+++ b/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html
@@ -1,5 +1,6 @@
 <td bitCell [ngClass]="RowHeightClass" class="tw-min-w-fit">
   <input
+    *ngIf="showCheckbox"
     type="checkbox"
     bitCheckbox
     appStopProp
diff --git a/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts b/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts
index 221a22421b..79885da0d4 100644
--- a/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts
+++ b/apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.ts
@@ -42,6 +42,7 @@ export class VaultCipherRowComponent implements OnInit {
   @Output() checkedToggled = new EventEmitter<void>();
 
   protected CipherType = CipherType;
+  protected organization?: Organization;
 
   constructor(private configService: ConfigService) {}
 
@@ -53,6 +54,9 @@ export class VaultCipherRowComponent implements OnInit {
     this.extensionRefreshEnabled = await firstValueFrom(
       this.configService.getFeatureFlag$(FeatureFlag.ExtensionRefresh),
     );
+    if (this.cipher.organizationId != null) {
+      this.organization = this.organizations.find((o) => o.id === this.cipher.organizationId);
+    }
   }
 
   protected get showTotpCopyButton() {
@@ -138,4 +142,12 @@ export class VaultCipherRowComponent implements OnInit {
   protected assignToCollections() {
     this.onEvent.emit({ type: "assignToCollections", items: [this.cipher] });
   }
+
+  protected get showCheckbox() {
+    if (!this.viewingOrgVault || !this.organization) {
+      return true; // Always show checkbox in individual vault or for non-org items
+    }
+
+    return this.organization.canEditAllCiphers || this.cipher.edit;
+  }
 }
diff --git a/apps/web/src/app/vault/components/vault-items/vault-collection-row.component.ts b/apps/web/src/app/vault/components/vault-items/vault-collection-row.component.ts
index 36cd3679a0..9656e4e835 100644
--- a/apps/web/src/app/vault/components/vault-items/vault-collection-row.component.ts
+++ b/apps/web/src/app/vault/components/vault-items/vault-collection-row.component.ts
@@ -103,6 +103,10 @@ export class VaultCollectionRowComponent {
   }
 
   protected get showCheckbox() {
-    return this.collection?.id !== Unassigned;
+    if (this.collection?.id === Unassigned) {
+      return false; // Never show checkbox for Unassigned
+    }
+
+    return this.canEditCollection || this.canDeleteCollection;
   }
 }
diff --git a/apps/web/src/app/vault/components/vault-items/vault-items.component.ts b/apps/web/src/app/vault/components/vault-items/vault-items.component.ts
index 04f2245d26..794a0b3b25 100644
--- a/apps/web/src/app/vault/components/vault-items/vault-items.component.ts
+++ b/apps/web/src/app/vault/components/vault-items/vault-items.component.ts
@@ -1,7 +1,7 @@
 import { SelectionModel } from "@angular/cdk/collections";
 import { Component, EventEmitter, Input, Output } from "@angular/core";
 
-import { Unassigned, CollectionView } from "@bitwarden/admin-console/common";
+import { CollectionView, Unassigned } from "@bitwarden/admin-console/common";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { TableDataSource } from "@bitwarden/components";
@@ -205,11 +205,12 @@ export class VaultItemsComponent {
 
     this.selection.clear();
 
-    // Every item except for the Unassigned collection is selectable, individual bulk actions check the user's permission
+    // All ciphers are selectable, collections only if they can be edited or deleted
     this.editableItems = items.filter(
       (item) =>
         item.cipher !== undefined ||
-        (item.collection !== undefined && item.collection.id !== Unassigned),
+        (item.collection !== undefined &&
+          (this.canEditCollection(item.collection) || this.canDeleteCollection(item.collection))),
     );
 
     this.dataSource.data = items;