bitwarden · nick-livefront · Nov 7, 2024 · Oct 21, 2024 · Oct 21, 2024 · Oct 22, 2024
@@ -6,6 +6,7 @@ import { firstValueFrom, Observable, Subject } from "rxjs";
 import { map } from "rxjs/operators";
 
 import { CollectionView } from "@bitwarden/admin-console/common";
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions";
@@ -17,6 +18,8 @@ import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.servi
 import { PremiumUpgradePromptService } from "@bitwarden/common/vault/abstractions/premium-upgrade-prompt.service";
 import { ViewPasswordHistoryService } from "@bitwarden/common/vault/abstractions/view-password-history.service";
 import { CipherType } from "@bitwarden/common/vault/enums";
+import { CipherData } from "@bitwarden/common/vault/models/data/cipher.data";
+import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { CipherAuthorizationService } from "@bitwarden/common/vault/services/cipher-authorization.service";
 import {
@@ -231,6 +234,7 @@ export class VaultItemDialogComponent implements OnInit, OnDestroy {
     private billingAccountProfileStateService: BillingAccountProfileStateService,
     private premiumUpgradeService: PremiumUpgradePromptService,
     private cipherAuthorizationService: CipherAuthorizationService,
+    private apiService: ApiService,
   ) {
     this.updateTitle();
   }
@@ -278,7 +282,20 @@ export class VaultItemDialogComponent implements OnInit, OnDestroy {
     if (this._originalFormMode === "add" || this._originalFormMode === "clone") {
       this.formConfig.mode = "edit";
     }
-    this.formConfig.originalCipher = await this.cipherService.get(cipherView.id);
+
+    let cipher: Cipher;
+
+    // When the form config is used within the Admin Console, retrieve the cipher from the admin endpoint
+    if (this.formConfig.isAdminConsole) {
+      const cipherResponse = await this.apiService.getCipherAdmin(cipherView.id);
+      const cipherData = new CipherData(cipherResponse);
+      cipher = new Cipher(cipherData);
+    } else {
+      cipher = await this.cipherService.get(cipherView.id);
+    }
+
+    // Store the updated cipher so any following edits use the most up to date cipher
+    this.formConfig.originalCipher = cipher;
     this._cipherModified = true;
     await this.changeMode("view");
   }

@@ -1,14 +1,13 @@
 import { TestBed } from "@angular/core/testing";
 import { BehaviorSubject } from "rxjs";
 
-import { CollectionAdminService } from "@bitwarden/admin-console/common";
+import { CollectionAdminService, CollectionAdminView } from "@bitwarden/admin-console/common";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { OrganizationUserStatusType } from "@bitwarden/common/admin-console/enums";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { CipherId } from "@bitwarden/common/types/guid";
-import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 
 import { RoutedVaultFilterService } from "../../individual-vault/vault-filter/services/routed-vault-filter.service";
 
@@ -35,27 +34,41 @@ describe("AdminConsoleCipherFormConfigService", () => {
     status: OrganizationUserStatusType.Confirmed,
   };
   const policyAppliesToActiveUser$ = new BehaviorSubject<boolean>(true);
+  const collection = {
+    id: "12345-5555",
+    organizationId: "234534-34334",
+    name: "Test Collection 1",
+    assigned: false,
+    readOnly: true,
+  } as CollectionAdminView;
+  const collection2 = {
+    id: "12345-6666",
+    organizationId: "22222-2222",
+    name: "Test Collection 2",
+    assigned: true,
+    readOnly: false,
+  } as CollectionAdminView;
+
   const organization$ = new BehaviorSubject<Organization>(testOrg as Organization);
   const organizations$ = new BehaviorSubject<Organization[]>([testOrg, testOrg2] as Organization[]);
   const getCipherAdmin = jest.fn().mockResolvedValue(null);
-  const getCipher = jest.fn().mockResolvedValue(null);
 
   beforeEach(async () => {
     getCipherAdmin.mockClear();
-    getCipher.mockClear();
-    getCipher.mockResolvedValue({ id: cipherId, name: "Test Cipher - (non-admin)" });
     getCipherAdmin.mockResolvedValue({ id: cipherId, name: "Test Cipher - (admin)" });
 
     await TestBed.configureTestingModule({
       providers: [
         AdminConsoleCipherFormConfigService,
+        { provide: OrganizationService, useValue: { get$: () => organization$, organizations$ } },
+        {
+          provide: CollectionAdminService,
+          useValue: { getAll: () => Promise.resolve([collection, collection2]) },
+        },
         {
           provide: PolicyService,
           useValue: { policyAppliesToActiveUser$: () => policyAppliesToActiveUser$ },
         },
-        { provide: OrganizationService, useValue: { get$: () => organization$, organizations$ } },
-        { provide: CipherService, useValue: { get: getCipher } },
-        { provide: CollectionAdminService, useValue: { getAll: () => Promise.resolve([]) } },
         {
           provide: RoutedVaultFilterService,
           useValue: { filter$: new BehaviorSubject({ organizationId: testOrg.id }) },
@@ -86,6 +99,12 @@ describe("AdminConsoleCipherFormConfigService", () => {
       expect(mode).toBe("edit");
     });
 
+    it("returns all collections", async () => {
+      const { collections } = await adminConsoleConfigService.buildConfig("edit", cipherId);
+
+      expect(collections).toEqual([collection, collection2]);
+    });
+
     it("sets admin flag based on `canEditAllCiphers`", async () => {
       // Disable edit all ciphers on org
       testOrg.canEditAllCiphers = false;
@@ -153,33 +172,14 @@ describe("AdminConsoleCipherFormConfigService", () => {
       expect(result.organizations).toEqual([testOrg, testOrg2]);
     });
 
-    describe("getCipher", () => {
-      it("retrieves the cipher from the cipher service", async () => {
-        testOrg.canEditAllCiphers = false;
+    it("retrieves the cipher from the admin service", async () => {
+      getCipherAdmin.mockResolvedValue({ id: cipherId, name: "Test Cipher - (admin)" });
 
-        adminConsoleConfigService = TestBed.inject(AdminConsoleCipherFormConfigService);
-
-        const result = await adminConsoleConfigService.buildConfig("clone", cipherId);
-
-        expect(getCipher).toHaveBeenCalledWith(cipherId);
-        expect(result.originalCipher.name).toBe("Test Cipher - (non-admin)");
-
-        // Admin service not needed when cipher service can return the cipher
-        expect(getCipherAdmin).not.toHaveBeenCalled();
-      });
-
-      it("retrieves the cipher from the admin service", async () => {
-        getCipher.mockResolvedValueOnce(null);
-        getCipherAdmin.mockResolvedValue({ id: cipherId, name: "Test Cipher - (admin)" });
-
-        adminConsoleConfigService = TestBed.inject(AdminConsoleCipherFormConfigService);
-
-        await adminConsoleConfigService.buildConfig("add", cipherId);
+      adminConsoleConfigService = TestBed.inject(AdminConsoleCipherFormConfigService);
 
-        expect(getCipherAdmin).toHaveBeenCalledWith(cipherId);
+      await adminConsoleConfigService.buildConfig("add", cipherId);
 
-        expect(getCipher).toHaveBeenCalledWith(cipherId);
-      });
+      expect(getCipherAdmin).toHaveBeenCalledWith(cipherId);
     });
   });
 });
@@ -6,9 +6,7 @@ import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType, OrganizationUserStatusType } from "@bitwarden/common/admin-console/enums";
-import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { CipherId } from "@bitwarden/common/types/guid";
-import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { CipherType } from "@bitwarden/common/vault/enums";
 import { CipherData } from "@bitwarden/common/vault/models/data/cipher.data";
 import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
@@ -25,7 +23,6 @@ import { RoutedVaultFilterService } from "../../individual-vault/vault-filter/se
 export class AdminConsoleCipherFormConfigService implements CipherFormConfigService {
   private policyService: PolicyService = inject(PolicyService);
   private organizationService: OrganizationService = inject(OrganizationService);
-  private cipherService: CipherService = inject(CipherService);
   private routedVaultFilterService: RoutedVaultFilterService = inject(RoutedVaultFilterService);
   private collectionAdminService: CollectionAdminService = inject(CollectionAdminService);
   private apiService: ApiService = inject(ApiService);
@@ -51,42 +48,26 @@ export class AdminConsoleCipherFormConfigService implements CipherFormConfigServ
     map(([orgs, orgId]) => orgs.find((o) => o.id === orgId)),
   );
 
-  private editableCollections$ = this.organization$.pipe(
-    switchMap(async (org) => {
-      if (!org) {
-        return [];
-      }
-
-      const collections = await this.collectionAdminService.getAll(org.id);
-      // Users that can edit all ciphers can implicitly add to / edit within any collection
-      if (org.canEditAllCiphers) {
-        return collections;
-      }
-      // The user is only allowed to add/edit items to assigned collections that are not readonly
-      return collections.filter((c) => c.assigned && !c.readOnly);
-    }),
+  private allCollections$ = this.organization$.pipe(
+    switchMap(async (org) => await this.collectionAdminService.getAll(org.id)),
   );
 
   async buildConfig(
     mode: CipherFormMode,
     cipherId?: CipherId,
     cipherType?: CipherType,
   ): Promise<CipherFormConfig> {
+    const cipher = await this.getCipher(cipherId);
     const [organization, allowPersonalOwnership, allOrganizations, allCollections] =
       await firstValueFrom(
         combineLatest([
           this.organization$,
           this.allowPersonalOwnership$,
           this.allOrganizations$,
-          this.editableCollections$,
+          this.allCollections$,
         ]),
       );
 
-    const cipher = await this.getCipher(organization, cipherId);
-
-    const collections = allCollections.filter(
-      (c) => c.organizationId === organization.id && c.assigned && !c.readOnly,
-    );
     // When cloning from within the Admin Console, all organizations should be available.
     // Otherwise only the one in context should be
     const organizations = mode === "clone" ? allOrganizations : [organization];
@@ -100,27 +81,19 @@ export class AdminConsoleCipherFormConfigService implements CipherFormConfigServ
       admin: organization.canEditAllCiphers ?? false,
       allowPersonalOwnership: allowPersonalOwnershipOnlyForClone,
       originalCipher: cipher,
-      collections,
+      collections: allCollections,
       organizations,
       folders: [], // folders not applicable in the admin console
       hideIndividualVaultFields: true,
       isAdminConsole: true,
     };
   }
 
-  private async getCipher(organization: Organization, id?: CipherId): Promise<Cipher | null> {
+  private async getCipher(id?: CipherId): Promise<Cipher | null> {
     if (id == null) {
       return Promise.resolve(null);
     }
 
-    // Check to see if the user has direct access to the cipher
-    const cipherFromCipherService = await this.cipherService.get(id);
-
-    // If the organization doesn't allow admin/owners to edit all ciphers return the cipher
-    if (!organization.canEditAllCiphers && cipherFromCipherService != null) {
-      return cipherFromCipherService;
-    }
-
     // Retrieve the cipher through the means of an admin
     const cipherResponse = await this.apiService.getCipherAdmin(id);
     cipherResponse.edit = true;

diff --git a/libs/common/src/services/api.service.ts b/libs/common/src/services/api.service.ts
@@ -583,7 +583,7 @@ export class ApiService implements ApiServiceAbstraction {
   }
 
   putCipherCollectionsAdmin(id: string, request: CipherCollectionsRequest): Promise<any> {
-    return this.send("PUT", "/ciphers/" + id + "/collections-admin", request, true, false);
+    return this.send("PUT", "/ciphers/" + id + "/collections-admin", request, true, true);
   }
 
   postPurgeCiphers(

@@ -119,7 +119,7 @@ export abstract class CipherService implements UserKeyRotationDataProvider<Ciphe
    * Used for Unassigned ciphers or when the user only has admin access to the cipher (not assigned normally).
    * @param cipher
    */
-  saveCollectionsWithServerAdmin: (cipher: Cipher) => Promise<void>;
+  saveCollectionsWithServerAdmin: (cipher: Cipher) => Promise<Cipher>;
   /**
    * Bulk update collections for many ciphers with the server
    * @param orgId

@@ -880,9 +880,11 @@ export class CipherService implements CipherServiceAbstraction {
     return new Cipher(updated[cipher.id as CipherId], cipher.localData);
   }
 
-  async saveCollectionsWithServerAdmin(cipher: Cipher): Promise<void> {
+  async saveCollectionsWithServerAdmin(cipher: Cipher): Promise<Cipher> {
     const request = new CipherCollectionsRequest(cipher.collectionIds);
-    await this.apiService.putCipherCollectionsAdmin(cipher.id, request);
+    const response = await this.apiService.putCipherCollectionsAdmin(cipher.id, request);
+    const data = new CipherData(response);
+    return new Cipher(data);
   }
 
   /**