[AC-2763] Allow providers who are also members access to items (#9585)

* [AC-2763] Do not restrict providers if they are also a member of the organization

* [AC-2763] Reduce branching complexity

* [AC-2763] Remove explicit restrict provider access checks in Vault

We can safely fall back organization helpers for cipher access as it already accounts for provider users who are members.
This commit is contained in:
Shane Melton 2024-06-13 07:21:14 -07:00 committed by GitHub
parent d8c764fc9e
commit e56a3386a2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 16 additions and 17 deletions

View File

@ -311,10 +311,6 @@ export class VaultComponent implements OnInit, OnDestroy {
this.editableCollections$ = this.allCollectionsWithoutUnassigned$.pipe( this.editableCollections$ = this.allCollectionsWithoutUnassigned$.pipe(
map((collections) => { map((collections) => {
// If restricted, providers can not add items to any collections or edit those items
if (this.organization.isProviderUser && this.restrictProviderAccessEnabled) {
return [];
}
// Users that can edit all ciphers can implicitly add to / edit within any collection // Users that can edit all ciphers can implicitly add to / edit within any collection
if ( if (
this.organization.canEditAllCiphers( this.organization.canEditAllCiphers(
@ -356,10 +352,6 @@ export class VaultComponent implements OnInit, OnDestroy {
} }
let ciphers; let ciphers;
if (organization.isProviderUser && this.restrictProviderAccessEnabled) {
return [];
}
if (this.flexibleCollectionsV1Enabled) { if (this.flexibleCollectionsV1Enabled) {
// Flexible collections V1 logic. // Flexible collections V1 logic.
// If the user can edit all ciphers for the organization then fetch them ALL. // If the user can edit all ciphers for the organization then fetch them ALL.
@ -488,10 +480,6 @@ export class VaultComponent implements OnInit, OnDestroy {
organization$, organization$,
]).pipe( ]).pipe(
map(([filter, collection, organization]) => { map(([filter, collection, organization]) => {
if (organization.isProviderUser && this.restrictProviderAccessEnabled) {
return collection != undefined || filter.collectionId === Unassigned;
}
return ( return (
(filter.collectionId === Unassigned && (filter.collectionId === Unassigned &&
!organization.canEditUnassignedCiphers(this.restrictProviderAccessEnabled)) || !organization.canEditUnassignedCiphers(this.restrictProviderAccessEnabled)) ||

View File

@ -195,10 +195,18 @@ export class Organization {
} }
canEditUnassignedCiphers(restrictProviderAccessFlagEnabled: boolean) { canEditUnassignedCiphers(restrictProviderAccessFlagEnabled: boolean) {
if (this.isProviderUser) { // Providers can access items until the restrictProviderAccess flag is enabled
return !restrictProviderAccessFlagEnabled; // After the flag is enabled and removed, this block will be deleted
// so that they permanently lose access to items
if (this.isProviderUser && !restrictProviderAccessFlagEnabled) {
return true;
} }
return this.isAdmin || this.permissions.editAnyCollection;
return (
this.type === OrganizationUserType.Admin ||
this.type === OrganizationUserType.Owner ||
this.permissions.editAnyCollection
);
} }
canEditAllCiphers( canEditAllCiphers(
@ -210,8 +218,11 @@ export class Organization {
return this.isAdmin || this.permissions.editAnyCollection; return this.isAdmin || this.permissions.editAnyCollection;
} }
if (this.isProviderUser) { // Providers can access items until the restrictProviderAccess flag is enabled
return !restrictProviderAccessFlagEnabled; // After the flag is enabled and removed, this block will be deleted
// so that they permanently lose access to items
if (this.isProviderUser && !restrictProviderAccessFlagEnabled) {
return true;
} }
// Post Flexible Collections V1, the allowAdminAccessToAllCollectionItems flag can restrict admins // Post Flexible Collections V1, the allowAdminAccessToAllCollectionItems flag can restrict admins