[PM-11162] Assign To Collections Permission Update #11367
Conversation
Codecov ReportAttention: Patch coverage is
✅ All tests successful. No failed tests found. Additional details and impacted files@@ Coverage Diff @@
## main #11367 +/- ##
==========================================
+ Coverage 33.16% 33.19% +0.03%
==========================================
Files 2779 2780 +1
Lines 86228 86417 +189
Branches 16421 16472 +51
==========================================
+ Hits 28597 28688 +91
- Misses 55365 55443 +78
- Partials 2266 2286 +20 ☔ View full report in Codecov by Sentry. |
|
New Issues
Fixed Issues
|
There was a problem hiding this comment.
The change to vault-items looks good!
However, we need to make a similar change to the item-details-section.component for the new CipherForm. It also allows users to modify a cipher's collections without the "Assign To Collections" dialog so we need to adjust that component to disable the collections control when !cipher.viewPassword
| return org.id === this.originalCipherView.organizationId; | ||
| }); | ||
|
|
||
| const filteredCollections = this.originalCipherView.collectionIds.find((id) => { |
There was a problem hiding this comment.
this.originalCipherView can be null when creating a new cipher and this will throw.
| filteredCollections?.length > 0 || | ||
| (this.originalCipherView.edit && this.originalCipherView.viewPassword) | ||
| ) { | ||
| this.showCollectionsControl = true; |
There was a problem hiding this comment.
There was a problem hiding this comment.
🎨 I think we can put a check in the initFromExistingCipher method after the call to updateCollectionOptions() to check if originalCipher.edit && originalCipher.viewPassword. If that is false then we should call this.itemDetailsForm.controls.collectionIds.disable() which will prevent the user from changing the value.
Then we wouldn't need to modify the updateCollectionOptions() method.
| @@ -191,7 +191,10 @@ export class VaultItemsComponent { | |||
| } | |||
|
|
|||
| const organization = this.allOrganizations.find((o) => o.id === cipher.organizationId); | |||
| return (organization.canEditAllCiphers && this.viewingOrgVault) || cipher.edit; | |||
| return ( | |||
There was a problem hiding this comment.
💭 I noticed this returned value is used by the vault-cipher-row.component to show the attachments button. I don't think we want to disable that with when viewPassword == false so we may need to introduce a new option specifically for assigning collections (e.g. canAssignCollections)
…ot remove assign to collections based on permissions
| this.canAssignCollections = true; | ||
| } | ||
|
|
||
| this.organizationService.get$(cipher.organizationId).subscribe((org) => { |
There was a problem hiding this comment.
This observable is not unsubscribed.
| if (cipher?.organizationId == null) { | ||
| this.canAssignCollections = true; |
There was a problem hiding this comment.
I don't follow this - if the cipher isn't in an organization, you can't assign it to a collection.
There was a problem hiding this comment.
@shane-melton this is the file that tagged me for a review, but I think this would fall under Vault ownership under the team boundaries we discussed. Do you agree? If so I can just rubber stamp this review once Vault have approved, but if you could then move it into Vault ownership that would be really helpful.
Also, I was trying to figure out how this is used. I found it in desktop, but there's also a subclass in web which appears unused: https://github.com/bitwarden/clients/blob/main/apps/web/src/app/vault/individual-vault/collections.component.ts#L1.
| } | ||
|
|
||
| this.organizationService.get$(cipher.organizationId).subscribe((org) => { | ||
| this.canAssignCollections = org.canEditAllCiphers || (cipher.edit && cipher.viewPassword); |
There was a problem hiding this comment.
org.canEditAllCiphers checks admin permissions. Do we recognise admin permissions from the individual vault on desktop? I thought we only recognised admin permissions in the Admin Console, regardless of client.
There was a problem hiding this comment.
Also, a canAssignToCollections() getter on CipherView might be a useful abstraction, but that's very much your call.
There was a problem hiding this comment.
Ah apologies! All this was a first draft in my brain and I was going to come back to it after working on some CLI stuff.
Thanks for the review, it was super helpful and got me reducing a ton of that code.
🎟️ Tracking
PM-11162
📔 Objective
Only users with
Can Editpermissions will be allowed toAssign To Collections. If the user hasCan Edit Except Passwordthey should not seeAssign To Collectionsin the menu of the item row.📸 Screen Recording
PM-11162.mov
Desktop Permissions
PM-11162-Desktop.mov
Screenshot of CLI error when trying to add collection to
Can Edit Except PWitem⏰ Reminders before review
🦮 Reviewer guidelines
:+1:) or similar for great changes:memo:) or ℹ️ (:information_source:) for notes or general info:question:) for questions:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes