Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AC-2605] Restrict collection access for some custom users #9231

Merged
merged 3 commits into from
May 21, 2024
Merged

[AC-2605] Restrict collection access for some custom users #9231

merged 3 commits into from
May 21, 2024
+14 −2

Conversation

eliykat
Copy link
Member

@eliykat eliykat commented May 17, 2024
edited

Type of change

- [x] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Currently, the Allow admin access to all collections and items setting does not affect Custom Users with the Manage Groups or Manage Users permissions - they can assign groups and users (respectively) to any collection, including those they don't manage.

Update their permission check to only allow this if Allow admin access is enabled - or if the feature flag is off entirely (current behavior). Otherwise, they must have Can Manage permissions like everyone else. This aligns them with how admins and owners are treated.

Server PR: bitwarden/server#4096

Code changes

  • file.ext: Description of what was changed and why

Screenshots

Screen.Recording.2024-05-17.at.1.38.42.PM.mov

Before you submit

  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team
  • Ensure that all UI additions follow WCAG AA requirements

@eliykat eliykat requested a review from a team as a code owner May 17, 2024 03:13
@eliykat eliykat requested a review from shane-melton May 17, 2024 03:13
@github-actions github-actions bot added the needs-qa Marks a PR as requiring QA approval label May 17, 2024
@eliykat eliykat mentioned this pull request May 17, 2024
Merged
@eliykat eliykat removed the needs-qa Marks a PR as requiring QA approval label May 17, 2024
@codecov Codecov
Copy link

codecov bot commented May 17, 2024
edited

Codecov Report

Attention: Patch coverage is 0% with 6 lines in your changes are missing coverage. Please review.

Project coverage is 28.12%. Comparing base (a7406ab) to head (8c238d0).

Files Patch % Lines
.../src/app/vault/core/views/collection-admin.view.ts 0.00% 6 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #9231   +/-   ##
=======================================
  Coverage   28.11%   28.12%           
=======================================
  Files        2361     2361           
  Lines       69859    69863    +4     
  Branches    13142    13144    +2     
=======================================
+ Hits        19644    19648    +4     
  Misses      48659    48659           
  Partials     1556     1556

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 17, 2024
edited

Logo
Checkmarx One – Scan Summary & Details908e7e79-6a60-45e3-b901-c8d6dc18b4d0

No New Or Fixed Issues Found

@eliykat eliykat merged commit e5fb4d8 into main May 21, 2024
33 of 34 checks passed
@eliykat eliykat deleted the ac/ac-2605/fix-manage-groups-users-permissions branch May 21, 2024 00:45
quexten pushed a commit that referenced this pull request May 22, 2024
@eliykat @quexten
Make custom users subject to collection settings (#9231)
ce6b50b 
* Affects ManageUsers and ManageGroups
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shane-melton shane-melton shane-melton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@eliykat @shane-melton