[AC-1707] Restrict provider access to items (#3881)

* [AC-2274] Introduce CanEditAnyCiphersAsAdminAsync helper to replace EditAnyCollection usage

* [AC-2274] Add unit tests for CanEditAnyCiphersAsAdmin helper

* [AC-2274] Add Jira ticket

* [AC-1707] Add feature flag

* [AC-1707] Update CanEditAnyCiphersAsAdmin to fail for providers when the feature flag is enabled

* [AC-2274] Undo change to purge endpoint

* [AC-2274] Update admin checks to account for unassigned ciphers

* [AC-1707] Fix provider auth checks after merge with main

* [AC-1707] Fix tests after merge

* [AC-1707] Adjust CanEditCipherAsAdmin method to properly account for admin user types

- Fix associated unit tests

* [AC-1707] Formatting

src/Api/Vault/Controllers/CiphersController.cs

@@ -334,12 +334,32 @@ public class CiphersController : Controller
             return await _currentContext.EditAnyCollection(organizationId);
         }
 
-        if (await CanEditCiphersAsync(organizationId, cipherIds))
+        var org = _currentContext.GetOrganization(organizationId);
+
+        // If we're not an "admin", we don't need to check the ciphers
+        if (org is not ({ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or { Permissions.EditAnyCollection: true }))
         {
-            return true;
+            // Are we a provider user? If so, we need to be sure we're not restricted
+            // Once the feature flag is removed, this check can be combined with the above
+            if (await _currentContext.ProviderUserForOrgAsync(organizationId))
+            {
+                // Provider is restricted from editing ciphers, so we're not an "admin"
+                if (_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess))
+                {
+                    return false;
+                }
+
+                // Provider is unrestricted, so we're an "admin", don't return early
+            }
+            else
+            {
+                // Not a provider or admin
+                return false;
+            }
         }
 
-        return false;
+        // We know we're an "admin", now check the ciphers explicitly (in case admins are restricted)
+        return await CanEditCiphersAsync(organizationId, cipherIds);
     }
 
     /// <summary>
@@ -360,10 +380,10 @@ public class CiphersController : Controller
             return true;
         }
 
-        // Provider users can access all ciphers in V1 (to change later)
+        // Provider users can only access all ciphers if RestrictProviderAccess is disabled
         if (await _currentContext.ProviderUserForOrgAsync(organizationId))
         {
-            return true;
+            return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
         }
 
         return false;
@@ -399,10 +419,10 @@ public class CiphersController : Controller
             return true;
         }
 
-        // Provider users can edit all ciphers in V1 (to change later)
+        // Provider users can edit all ciphers if RestrictProviderAccess is disabled
         if (await _currentContext.ProviderUserForOrgAsync(organizationId))
         {
-            return true;
+            return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
         }
 
         return false;
@@ -422,10 +442,10 @@ public class CiphersController : Controller
             return true;
         }
 
-        // Provider users can still access organization ciphers in V1 (to change later)
+        // Provider users can only access organization ciphers if RestrictProviderAccess is disabled
         if (await _currentContext.ProviderUserForOrgAsync(organizationId))
         {
-            return true;
+            return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
         }
 
         return false;
@@ -445,10 +465,10 @@ public class CiphersController : Controller
             return true;
         }
 
-        // Provider users can access all ciphers in V1 (to change later)
+        // Provider users can only access all ciphers if RestrictProviderAccess is disabled
         if (await _currentContext.ProviderUserForOrgAsync(organizationId))
         {
-            return true;
+            return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
         }
 
         return false;

src/Core/Constants.cs

@@ -139,6 +139,7 @@ public static class FeatureFlagKeys
     public const string EmailVerification = "email-verification";
     public const string AnhFcmv1Migration = "anh-fcmv1-migration";
     public const string ExtensionRefresh = "extension-refresh";
+    public const string RestrictProviderAccess = "restrict-provider-access";
 
     public static List<string> GetAllKeys()
     {