[PM-14378] SecurityTask Authorization Handler (#5039)

* [PM-14378] Introduce GetCipherPermissionsForOrganization query for Dapper CipherRepository * [PM-14378] Introduce GetCipherPermissionsForOrganization method for Entity Framework * [PM-14378] Add integration tests for new repository method * [PM-14378] Introduce IGetCipherPermissionsForUserQuery CQRS query * [PM-14378] Introduce SecurityTaskOperationRequirement * [PM-14378] Introduce SecurityTaskAuthorizationHandler.cs * [PM-14378] Introduce SecurityTaskOrganizationAuthorizationHandler.cs * [PM-14378] Register new authorization handlers * [PM-14378] Formatting * [PM-14378] Add unit tests for GetCipherPermissionsForUserQuery * [PM-15378] Cleanup SecurityTaskAuthorizationHandler and add tests * [PM-14378] Add tests for SecurityTaskOrganizationAuthorizationHandler * [PM-14378] Formatting * [PM-14378] Update date in migration file * [PM-14378] Add missing awaits * [PM-14378] Bump migration script date * [PM-14378] Remove Unassigned property from OrganizationCipherPermission as it was making the query too complicated * [PM-14378] Update sproc to use Union All to improve query performance * [PM-14378] Bump migration script date
2025-07-01 08:02:49 -05:00 · 2025-01-09 12:14:24 -08:00
parent fd195e7cf3
commit a99f82dddd
18 changed files with 1669 additions and 0 deletions
--- a/test/Core.Test/Vault/Authorization/SecurityTaskAuthorizationHandlerTests.cs
+++ b/test/Core.Test/Vault/Authorization/SecurityTaskAuthorizationHandlerTests.cs
@ -0,0 +1,430 @@
+using System.Security.Claims;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Authorization;
+
+[SutProviderCustomize]
+public class SecurityTaskAuthorizationHandlerTests
+{
+    [Theory, CurrentContextOrganizationCustomize, BitAutoData]
+    public async Task MissingOrg_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns((CurrentContextOrganization)null);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Read },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize, BitAutoData]
+    public async Task MissingCipherId_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var operations = new[]
+        {
+            SecurityTaskOperations.Read, SecurityTaskOperations.Create, SecurityTaskOperations.Update
+        };
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = null
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        foreach (var operation in operations)
+        {
+            var context = new AuthorizationHandlerContext(
+                new[] { operation },
+                new ClaimsPrincipal(),
+                task);
+
+            await sutProvider.Sut.HandleAsync(context);
+
+            Assert.False(context.HasSucceeded, operation.ToString());
+        }
+
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task Read_User_CanReadCipher_Success(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = true
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Read },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Read_Admin_Success(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Read },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Read_Admin_MissingCipher_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>());
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Read },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task Read_User_CannotReadCipher_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = false
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Read },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task Create_User_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = true,
+            Edit = true,
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Create },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Create_Admin_MissingCipher_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>());
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Create },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Create_Admin_Success(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = true,
+            Edit = true,
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Create },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task Update_User_CanEditCipher_Success(
+    CurrentContextOrganization organization,
+    SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = true,
+            Edit = true
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Update },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Update_Admin_CanEditCipher_Success(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Edit = true
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Update },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Read_Admin_ReadonlyCipher_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>());
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Update },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task Update_User_CannotEditCipher_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = true,
+            Edit = false
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Update },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+}
--- a/test/Core.Test/Vault/Authorization/SecurityTaskOrganizationAuthorizationHandlerTests.cs
+++ b/test/Core.Test/Vault/Authorization/SecurityTaskOrganizationAuthorizationHandlerTests.cs
@ -0,0 +1,104 @@
+using System.Security.Claims;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Authorization;
+
+[SutProviderCustomize]
+public class SecurityTaskOrganizationAuthorizationHandlerTests
+{
+    [Theory, CurrentContextOrganizationCustomize, BitAutoData]
+    public async Task MissingOrg_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskOrganizationAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns((CurrentContextOrganization)null);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.ListAllForOrganization },
+            new ClaimsPrincipal(),
+            organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize, BitAutoData]
+    public async Task MissingUserId_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskOrganizationAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(null as Guid?);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.ListAllForOrganization },
+            new ClaimsPrincipal(),
+            organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task ListAllForOrganization_Admin_Success(
+        OrganizationUserType userType,
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskOrganizationAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        organization.Type = userType;
+        if (organization.Type == OrganizationUserType.Custom)
+        {
+            organization.Permissions.AccessReports = true;
+        }
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.ListAllForOrganization },
+            new ClaimsPrincipal(),
+            organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task ListAllForOrganization_User_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskOrganizationAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.ListAllForOrganization },
+            new ClaimsPrincipal(),
+            organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+}
--- a/test/Core.Test/Vault/Queries/GetCipherPermissionsForUserQueryTests.cs
+++ b/test/Core.Test/Vault/Queries/GetCipherPermissionsForUserQueryTests.cs
@ -0,0 +1,238 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Services;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Queries;
+
+[SutProviderCustomize]
+public class GetCipherPermissionsForUserQueryTests
+{
+    private static Guid _noAccessCipherId = Guid.NewGuid();
+    private static Guid _readOnlyCipherId = Guid.NewGuid();
+    private static Guid _editCipherId = Guid.NewGuid();
+    private static Guid _manageCipherId = Guid.NewGuid();
+    private static Guid _readExceptPasswordCipherId = Guid.NewGuid();
+    private static Guid _unassignedCipherId = Guid.NewGuid();
+
+    private static List<Guid> _cipherIds = new[]
+    {
+        _noAccessCipherId,
+        _readOnlyCipherId,
+        _editCipherId,
+        _manageCipherId,
+        _readExceptPasswordCipherId,
+        _unassignedCipherId
+    }.ToList();
+
+
+    [Theory, BitAutoData]
+    public async Task GetCipherPermissionsForUserQuery_Base(Guid userId, CurrentContextOrganization org, SutProvider<GetCipherPermissionsForUserQuery> sutProvider
+    )
+    {
+        var organizationId = org.Id;
+        org.Type = OrganizationUserType.User;
+        org.Permissions.EditAnyCollection = false;
+        var cipherPermissions = CreateCipherPermissions();
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organizationId).Returns(org);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+
+        sutProvider.GetDependency<ICipherRepository>().GetCipherPermissionsForOrganizationAsync(organizationId, userId)
+            .Returns(cipherPermissions);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId)
+            .Returns(new List<CipherOrganizationDetails>
+            {
+                new() { Id = _unassignedCipherId }
+            });
+
+        var result = await sutProvider.Sut.GetByOrganization(organizationId);
+
+        Assert.Equal(6, result.Count);
+        Assert.All(result, x => Assert.Contains(x.Key, _cipherIds));
+        Assert.False(result[_noAccessCipherId].Read);
+        Assert.True(result[_readOnlyCipherId].Read);
+        Assert.False(result[_readOnlyCipherId].Edit);
+        Assert.True(result[_editCipherId].Edit);
+        Assert.True(result[_manageCipherId].Manage);
+        Assert.True(result[_readExceptPasswordCipherId].Read);
+        Assert.False(result[_readExceptPasswordCipherId].ViewPassword);
+        Assert.False(result[_unassignedCipherId].Read);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetCipherPermissionsForUserQuery_CanEditAllCiphers_CustomUser(Guid userId, CurrentContextOrganization org, SutProvider<GetCipherPermissionsForUserQuery> sutProvider
+    )
+    {
+        var organizationId = org.Id;
+        var cipherPermissions = CreateCipherPermissions();
+        org.Permissions.EditAnyCollection = true;
+        org.Type = OrganizationUserType.Custom;
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organizationId).Returns(org);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+
+        sutProvider.GetDependency<ICipherRepository>().GetCipherPermissionsForOrganizationAsync(organizationId, userId)
+            .Returns(cipherPermissions);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId)
+            .Returns(new List<CipherOrganizationDetails>
+            {
+                new() { Id = _unassignedCipherId }
+            });
+
+        var result = await sutProvider.Sut.GetByOrganization(organizationId);
+
+        Assert.Equal(6, result.Count);
+        Assert.All(result, x => Assert.Contains(x.Key, _cipherIds));
+        Assert.All(result, x => Assert.True(x.Value.Read && x.Value.Edit && x.Value.Manage && x.Value.ViewPassword));
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetCipherPermissionsForUserQuery_CanEditAllCiphers_Admin(Guid userId, CurrentContextOrganization org, SutProvider<GetCipherPermissionsForUserQuery> sutProvider
+    )
+    {
+        var organizationId = org.Id;
+        var cipherPermissions = CreateCipherPermissions();
+        org.Permissions.EditAnyCollection = false;
+        org.Type = OrganizationUserType.Admin;
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organizationId).Returns(org);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(org.Id).Returns(new OrganizationAbility
+        {
+            AllowAdminAccessToAllCollectionItems = true
+        });
+
+        sutProvider.GetDependency<ICipherRepository>().GetCipherPermissionsForOrganizationAsync(organizationId, userId)
+            .Returns(cipherPermissions);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId)
+            .Returns(new List<CipherOrganizationDetails>
+            {
+                new() { Id = _unassignedCipherId }
+            });
+
+        var result = await sutProvider.Sut.GetByOrganization(organizationId);
+
+        Assert.Equal(6, result.Count);
+        Assert.All(result, x => Assert.Contains(x.Key, _cipherIds));
+        Assert.All(result, x => Assert.True(x.Value.Read && x.Value.Edit && x.Value.Manage && x.Value.ViewPassword));
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetCipherPermissionsForUserQuery_CanEditUnassignedCiphers(Guid userId, CurrentContextOrganization org, SutProvider<GetCipherPermissionsForUserQuery> sutProvider
+    )
+    {
+        var organizationId = org.Id;
+        var cipherPermissions = CreateCipherPermissions();
+        org.Type = OrganizationUserType.Owner;
+        org.Permissions.EditAnyCollection = false;
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organizationId).Returns(org);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+
+        sutProvider.GetDependency<ICipherRepository>().GetCipherPermissionsForOrganizationAsync(organizationId, userId)
+            .Returns(cipherPermissions);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId)
+            .Returns(new List<CipherOrganizationDetails>
+            {
+                new() { Id = _unassignedCipherId }
+            });
+
+        var result = await sutProvider.Sut.GetByOrganization(organizationId);
+
+        Assert.Equal(6, result.Count);
+        Assert.All(result, x => Assert.Contains(x.Key, _cipherIds));
+        Assert.False(result[_noAccessCipherId].Read);
+        Assert.True(result[_readOnlyCipherId].Read);
+        Assert.False(result[_readOnlyCipherId].Edit);
+        Assert.True(result[_editCipherId].Edit);
+        Assert.True(result[_manageCipherId].Manage);
+        Assert.True(result[_readExceptPasswordCipherId].Read);
+        Assert.False(result[_readExceptPasswordCipherId].ViewPassword);
+
+        Assert.True(result[_unassignedCipherId].Read);
+        Assert.True(result[_unassignedCipherId].Edit);
+        Assert.True(result[_unassignedCipherId].ViewPassword);
+        Assert.True(result[_unassignedCipherId].Manage);
+    }
+
+    private List<OrganizationCipherPermission> CreateCipherPermissions()
+    {
+        // User has no relationship with the cipher
+        var noAccessCipher = new OrganizationCipherPermission
+        {
+            Id = _noAccessCipherId,
+            Read = false,
+            Edit = false,
+            Manage = false,
+            ViewPassword = false,
+        };
+
+        var readOnlyCipher = new OrganizationCipherPermission
+        {
+            Id = _readOnlyCipherId,
+            Read = true,
+            Edit = false,
+            Manage = false,
+            ViewPassword = true,
+        };
+
+        var editCipher = new OrganizationCipherPermission
+        {
+            Id = _editCipherId,
+            Read = true,
+            Edit = true,
+            Manage = false,
+            ViewPassword = true,
+        };
+
+        var manageCipher = new OrganizationCipherPermission
+        {
+            Id = _manageCipherId,
+            Read = true,
+            Edit = true,
+            Manage = true,
+            ViewPassword = true,
+        };
+
+        var readExceptPasswordCipher = new OrganizationCipherPermission
+        {
+            Id = _readExceptPasswordCipherId,
+            Read = true,
+            Edit = false,
+            Manage = false,
+            ViewPassword = false,
+        };
+
+        var unassignedCipher = new OrganizationCipherPermission
+        {
+            Id = _unassignedCipherId,
+            Read = false,
+            Edit = false,
+            Manage = false,
+            ViewPassword = false,
+        };
+
+        return new List<OrganizationCipherPermission>
+        {
+            noAccessCipher,
+            readOnlyCipher,
+            editCipher,
+            manageCipher,
+            readExceptPasswordCipher,
+            unassignedCipher
+        };
+    }
+}