[PM-11162] Assign to Collection Permission Update

src/Api/Vault/Controllers/CiphersController.cs

@@ -421,6 +421,59 @@
         return false;
     }
 
+    /// <summary>
+    /// TODO: Move this to its own authorization handler or equivalent service - AC-2062
+    /// </summary>
+    private async Task<bool> CanModifyCipherCollectionsAsync(Guid organizationId, IEnumerable<Guid> cipherIds)
+    {
+        // If the user can edit all ciphers for the organization, just check they all belong to the org
+        if (await CanEditAllCiphersAsync(organizationId))
+        {
+            // TODO: This can likely be optimized to only query the requested ciphers and then checking they belong to the org
+            var orgCiphers = (await _cipherRepository.GetManyByOrganizationIdAsync(organizationId)).ToDictionary(c => c.Id);
+
+            // Ensure all requested ciphers are in orgCiphers
+            if (cipherIds.Any(c => !orgCiphers.ContainsKey(c)))
+            {
+                return false;
+            }
+
+            return true;
+        }
+
+        // The user cannot access any ciphers for the organization, we're done
+        if (!await CanAccessOrganizationCiphersAsync(organizationId))
+        {
+            return false;
+        }
+
+        var userId = _userService.GetProperUserId(User).Value;
+        // Select all editable ciphers for this user belonging to the organization
+        var editableOrgCipherList = (await _cipherRepository.GetManyByUserIdAsync(userId, true))
+            .Where(c => c.OrganizationId == organizationId && c.UserId == null && c.Edit && c.ViewPassword).ToList();
+
+        // Special case for unassigned ciphers
+        if (await CanAccessUnassignedCiphersAsync(organizationId))
+        {
+            var unassignedCiphers =
+                (await _cipherRepository.GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(
+                    organizationId));
+
+            // Users that can access unassigned ciphers can also edit them
+            editableOrgCipherList.AddRange(unassignedCiphers.Select(c => new CipherDetails(c) { Edit = true }));
+        }
+
+        var editableOrgCiphers = editableOrgCipherList
+            .ToDictionary(c => c.Id);
+
+        if (cipherIds.Any(c => !editableOrgCiphers.ContainsKey(c)))
+        {
+            return false;
+        }
+
+        return true;
+    }
+
     /// <summary>
     /// TODO: Move this to its own authorization handler or equivalent service - AC-2062
     /// </summary>
@@ -576,7 +629,7 @@
         var userId = _userService.GetProperUserId(User).Value;
         var cipher = await GetByIdAsync(id, userId);
         if (cipher == null || !cipher.OrganizationId.HasValue ||
-            !await _currentContext.OrganizationUser(cipher.OrganizationId.Value))
+            !await _currentContext.OrganizationUser(cipher.OrganizationId.Value) || !cipher.ViewPassword)
         {
             throw new NotFoundException();
         }
@@ -626,7 +679,7 @@
     [HttpPost("bulk-collections")]
     public async Task PostBulkCollections([FromBody] CipherBulkUpdateCollectionsRequestModel model)
     {
-        if (!await CanEditCiphersAsync(model.OrganizationId, model.CipherIds) ||
+        if (!await CanModifyCipherCollectionsAsync(model.OrganizationId, model.CipherIds) ||
             !await CanEditItemsInCollections(model.OrganizationId, model.CollectionIds))
         {
             throw new NotFoundException();

src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadByIdUserId.sql

@@ -5,12 +5,41 @@ AS
 BEGIN
     SET NOCOUNT ON
 
-    SELECT TOP 1
-        *
+SELECT
+        [Id],
+        [UserId],
+        [OrganizationId],
+        [Type],
+        [Data],
+        [Attachments],
+        [CreationDate],
+        [RevisionDate],
+        [Favorite],
+        [FolderId],
+        [DeletedDate],
+        [Reprompt],
+        [Key],
+        [OrganizationUseTotp]
+        , MAX ([Edit]) AS [Edit]
+        , MAX ([ViewPassword]) AS [ViewPassword]
     FROM
         [dbo].[UserCipherDetails](@UserId)
     WHERE
         [Id] = @Id
-    ORDER BY
-        [Edit] DESC
+    GROUP BY
+        [Id],
+        [UserId],
+        [OrganizationId],
+        [Type],
+        [Data],
+        [Attachments],
+        [CreationDate],
+        [RevisionDate],
+        [Favorite],
+        [FolderId],
+        [DeletedDate],
+        [Reprompt],
+        [Key],
+        [OrganizationUseTotp]
+
 END

test/Api.Test/Vault/Controllers/CiphersControllerTests.cs

@@ -127,6 +127,7 @@ private CipherDetails CreateCipherDetailsMock(Guid id, Guid userId)
             UserId = userId,
             OrganizationId = Guid.NewGuid(),
             Type = CipherType.Login,
+            ViewPassword = true,
             Data = @"
             {
                 ""Uris"": [

util/Migrator/DbScripts/2024-10-29_00_UpdateCipherDetailsQuery.sql

@@ -0,0 +1,45 @@
+CREATE OR ALTER PROCEDURE [dbo].[CipherDetails_ReadByIdUserId]
+    @Id UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+SELECT
+    [Id],
+    [UserId],
+    [OrganizationId],
+    [Type],
+    [Data],
+    [Attachments],
+    [CreationDate],
+    [RevisionDate],
+    [Favorite],
+    [FolderId],
+    [DeletedDate],
+    [Reprompt],
+    [Key],
+    [OrganizationUseTotp],
+    MAX ([Edit]) AS [Edit],
+    MAX ([ViewPassword]) AS [ViewPassword]
+FROM
+    [dbo].[UserCipherDetails](@UserId)
+WHERE
+    [Id] = @Id
+GROUP BY
+    [Id],
+    [UserId],
+    [OrganizationId],
+    [Type],
+    [Data],
+    [Attachments],
+    [CreationDate],
+    [RevisionDate],
+    [Favorite],
+    [FolderId],
+    [DeletedDate],
+    [Reprompt],
+    [Key],
+    [OrganizationUseTotp]
+END
+GO