[AC-2763] Allow providers who are also members access to items (#9585)

* [AC-2763] Do not restrict providers if they are also a member of the organization * [AC-2763] Reduce branching complexity * [AC-2763] Remove explicit restrict provider access checks in Vault We can safely fall back organization helpers for cipher access as it already accounts for provider users who are members.
2024-06-13 07:21:14 -07:00 · 2024-06-13 07:21:14 -07:00 · e56a3386a2
parent d8c764fc9e
commit e56a3386a2
2 changed files with 16 additions and 17 deletions
--- a/apps/web/src/app/vault/org-vault/vault.component.ts
+++ b/apps/web/src/app/vault/org-vault/vault.component.ts
@ -311,10 +311,6 @@ export class VaultComponent implements OnInit, OnDestroy {

    this.editableCollections$ = this.allCollectionsWithoutUnassigned$.pipe(
      map((collections) => {
-        // If restricted, providers can not add items to any collections or edit those items
-        if (this.organization.isProviderUser && this.restrictProviderAccessEnabled) {
-          return [];
-        }
        // Users that can edit all ciphers can implicitly add to / edit within any collection
        if (
          this.organization.canEditAllCiphers(
@ -356,10 +352,6 @@ export class VaultComponent implements OnInit, OnDestroy {
        }
        let ciphers;

-        if (organization.isProviderUser && this.restrictProviderAccessEnabled) {
-          return [];
-        }
-
        if (this.flexibleCollectionsV1Enabled) {
          // Flexible collections V1 logic.
          // If the user can edit all ciphers for the organization then fetch them ALL.
@ -488,10 +480,6 @@ export class VaultComponent implements OnInit, OnDestroy {
      organization$,
    ]).pipe(
      map(([filter, collection, organization]) => {
-        if (organization.isProviderUser && this.restrictProviderAccessEnabled) {
-          return collection != undefined || filter.collectionId === Unassigned;
-        }
-
        return (
          (filter.collectionId === Unassigned &&
            !organization.canEditUnassignedCiphers(this.restrictProviderAccessEnabled)) ||
--- a/libs/common/src/admin-console/models/domain/organization.ts
+++ b/libs/common/src/admin-console/models/domain/organization.ts
@ -195,10 +195,18 @@ export class Organization {
  }

  canEditUnassignedCiphers(restrictProviderAccessFlagEnabled: boolean) {
-    if (this.isProviderUser) {
-      return !restrictProviderAccessFlagEnabled;
+    // Providers can access items until the restrictProviderAccess flag is enabled
+    // After the flag is enabled and removed, this block will be deleted
+    // so that they permanently lose access to items
+    if (this.isProviderUser && !restrictProviderAccessFlagEnabled) {
+      return true;
    }
-    return this.isAdmin || this.permissions.editAnyCollection;
+
+    return (
+      this.type === OrganizationUserType.Admin ||
+      this.type === OrganizationUserType.Owner ||
+      this.permissions.editAnyCollection
+    );
  }

  canEditAllCiphers(
@ -210,8 +218,11 @@ export class Organization {
      return this.isAdmin || this.permissions.editAnyCollection;
    }

-    if (this.isProviderUser) {
-      return !restrictProviderAccessFlagEnabled;
+    // Providers can access items until the restrictProviderAccess flag is enabled
+    // After the flag is enabled and removed, this block will be deleted
+    // so that they permanently lose access to items
+    if (this.isProviderUser && !restrictProviderAccessFlagEnabled) {
+      return true;
    }

    // Post Flexible Collections V1, the allowAdminAccessToAllCollectionItems flag can restrict admins