[PM-20543] - remove restrict-provider-access feature flag (#5700)

* remove restrict-provider-access feature flag * remove feature flag * re-add flag * remove unnecessary tests * fix bad merge * fix bad merge * remove RestrictProviderAccess key
2025-07-04 01:22:50 -05:00 · 2025-05-15 14:00:48 -07:00
parent 07de9aa8bc
commit 97fbf21977
3 changed files with 18 additions and 248 deletions
--- a/src/Api/Vault/Controllers/CiphersController.cs
+++ b/src/Api/Vault/Controllers/CiphersController.cs
@ -315,26 +315,10 @@ public class CiphersController : Controller
    {
        var org = _currentContext.GetOrganization(organizationId);

-        // If we're not an "admin", we don't need to check the ciphers
-        if (org is not ({ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or { Permissions.EditAnyCollection: true }))
+        // If we're not an "admin" or if we're not a provider user we don't need to check the ciphers
+        if (org is not ({ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or { Permissions.EditAnyCollection: true }) || await _currentContext.ProviderUserForOrgAsync(organizationId))
        {
-            // Are we a provider user? If so, we need to be sure we're not restricted
-            // Once the feature flag is removed, this check can be combined with the above
-            if (await _currentContext.ProviderUserForOrgAsync(organizationId))
-            {
-                // Provider is restricted from editing ciphers, so we're not an "admin"
-                if (_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess))
-                {
-                    return false;
-                }
-
-                // Provider is unrestricted, so we're an "admin", don't return early
-            }
-            else
-            {
-                // Not a provider or admin
-                return false;
-            }
+            return false;
        }

        // We know we're an "admin", now check the ciphers explicitly (in case admins are restricted)
@ -350,26 +334,10 @@ public class CiphersController : Controller

        var org = _currentContext.GetOrganization(organizationId);

-        // If we're not an "admin", we don't need to check the ciphers
-        if (org is not ({ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or { Permissions.EditAnyCollection: true }))
+        // If we're not an "admin" or if we're a provider user we don't need to check the ciphers
+        if (org is not ({ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or { Permissions.EditAnyCollection: true }) || await _currentContext.ProviderUserForOrgAsync(organizationId))
        {
-            // Are we a provider user? If so, we need to be sure we're not restricted
-            // Once the feature flag is removed, this check can be combined with the above
-            if (await _currentContext.ProviderUserForOrgAsync(organizationId))
-            {
-                // Provider is restricted from editing ciphers, so we're not an "admin"
-                if (_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess))
-                {
-                    return false;
-                }
-
-                // Provider is unrestricted, so we're an "admin", don't return early
-            }
-            else
-            {
-                // Not a provider or admin
-                return false;
-            }
+            return false;
        }

        // If the user can edit all ciphers for the organization, just check they all belong to the org
@ -462,10 +430,10 @@ public class CiphersController : Controller
            return true;
        }

-        // Provider users can edit all ciphers if RestrictProviderAccess is disabled
+        // Provider users cannot edit ciphers
        if (await _currentContext.ProviderUserForOrgAsync(organizationId))
        {
-            return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
+            return false;
        }

        return false;
@ -485,10 +453,10 @@ public class CiphersController : Controller
            return true;
        }

-        // Provider users can only access organization ciphers if RestrictProviderAccess is disabled
+        // Provider users cannot access organization ciphers
        if (await _currentContext.ProviderUserForOrgAsync(organizationId))
        {
-            return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
+            return false;
        }

        return false;
@ -508,10 +476,10 @@ public class CiphersController : Controller
            return true;
        }

-        // Provider users can only access all ciphers if RestrictProviderAccess is disabled
+        // Provider users cannot access ciphers
        if (await _currentContext.ProviderUserForOrgAsync(organizationId))
        {
-            return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
+            return false;
        }

        return false;