[PM-11162] Assign to Collection Permission Update

[Jingo88]

🎟️ Tracking

PM-11162

📔 Objective

Users with Can Edit Except Password will not be allowed to assign collections to ciphers.

Updates made to CipherDetails_ReadByIdUserId.sql to get accurate ViewPassword value when user assigns/unassigns collections (This addresses bug PM-14046)

NOTE: EntityFramework update being looked at later on.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 4d56d510-341b-4fe1-ac6e-5943eff9b236

New Issues (171)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Reflected_XSS_All_Clients	/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs: 357	details The method AssertResponseTypeIs embeds untrusted data in generated output with Response, at line 225 of /test/Common/Helpers/AssertHelper.cs. This ... Attack Vector
	Reflected_XSS_All_Clients	/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs: 320	details The method AssertResponseTypeIs embeds untrusted data in generated output with Response, at line 225 of /test/Common/Helpers/AssertHelper.cs. This ... Attack Vector
	Reflected_XSS_All_Clients	/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs: 259	details The method AssertResponseTypeIs embeds untrusted data in generated output with Response, at line 225 of /test/Common/Helpers/AssertHelper.cs. This ... Attack Vector
	Reflected_XSS_All_Clients	/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs: 141	details The method AssertResponseTypeIs embeds untrusted data in generated output with Response, at line 225 of /test/Common/Helpers/AssertHelper.cs. This ... Attack Vector
	Reflected_XSS_All_Clients	/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs: 73	details The method AssertResponseTypeIs embeds untrusted data in generated output with Response, at line 225 of /test/Common/Helpers/AssertHelper.cs. This ... Attack Vector
	Reflected_XSS_All_Clients	/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs: 101	details The method AssertResponseTypeIs embeds untrusted data in generated output with Response, at line 225 of /test/Common/Helpers/AssertHelper.cs. This ... Attack Vector
	CSRF	/src/Admin/AdminConsole/Controllers/ProvidersController.cs: 419	details Method CreateOrganization at line 419 of /src/Admin/AdminConsole/Controllers/ProvidersController.cs gets a parameter from a user request from provi... Attack Vector
	CSRF	/src/Api/AdminConsole/Controllers/ProviderOrganizationsController.cs: 61	details Method Add at line 61 of /src/Api/AdminConsole/Controllers/ProviderOrganizationsController.cs gets a parameter from a user request from providerId.... Attack Vector
	CSRF	/src/Billing/Controllers/StripeController.cs: 164	details Method TryParseEventFromRequestBodyAsync at line 164 of /src/Billing/Controllers/StripeController.cs gets a parameter from a user request from Body... Attack Vector
	CSRF	/src/Billing/Controllers/RecoveryController.cs: 38	details Method ProcessEventsAsync at line 38 of /src/Billing/Controllers/RecoveryController.cs gets a parameter from a user request from requestBody. This ... Attack Vector
	CSRF	/src/Api/AdminConsole/Controllers/PoliciesController.cs: 197	details Method Put at line 197 of /src/Api/AdminConsole/Controllers/PoliciesController.cs gets a parameter from a user request from orgId. This parameter v... Attack Vector
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationDomainController.cs: 111	details Method RemoveDomain at line 111 of /src/Api/AdminConsole/Controllers/OrganizationDomainController.cs gets a parameter from a user request from id. ... Attack Vector
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationDomainController.cs: 111	details Method RemoveDomain at line 111 of /src/Api/AdminConsole/Controllers/OrganizationDomainController.cs gets a parameter from a user request from orgI... Attack Vector
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 220	details Method PutAdmin at line 220 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value f... Attack Vector
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationDomainController.cs: 78	details Method Post at line 78 of /src/Api/AdminConsole/Controllers/OrganizationDomainController.cs gets a parameter from a user request from model. This p... Attack Vector
	CSRF	/src/Api/Tools/Controllers/SendsController.cs: 166	details Method PostFile at line 166 of /src/Api/Tools/Controllers/SendsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationDomainController.cs: 77	details Method Post at line 77 of /src/Api/AdminConsole/Controllers/OrganizationDomainController.cs gets a parameter from a user request from orgId. This p... Attack Vector
	CSRF	/src/Api/Tools/Controllers/ImportCiphersController.cs: 47	details Method PostImport at line 47 of /src/Api/Tools/Controllers/ImportCiphersController.cs gets a parameter from a user request from model. This paramet... Attack Vector
	CSRF	/src/Api/Auth/Controllers/TwoFactorController.cs: 406	details Method PostRecover at line 406 of /src/Api/Auth/Controllers/TwoFactorController.cs gets a parameter from a user request from model. This parameter ... Attack Vector
	CSRF	/src/Events/Controllers/CollectController.cs: 41	details Method Post at line 41 of /src/Events/Controllers/CollectController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 220	details Method PutAdmin at line 220 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
	CSRF	/src/Api/Tools/Controllers/SendsController.cs: 156	details Method Post at line 156 of /src/Api/Tools/Controllers/SendsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
	CSRF	/src/Api/Tools/Controllers/SendsController.cs: 272	details Method Put at line 272 of /src/Api/Tools/Controllers/SendsController.cs gets a parameter from a user request from model. This parameter value flows... Attack Vector
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 173	details Method PostAdmin at line 173 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter val... Attack Vector
	CSRF	/src/Api/Billing/Controllers/ProviderBillingController.cs: 51	details Method GenerateClientInvoiceReportAsync at line 51 of /src/Api/Billing/Controllers/ProviderBillingController.cs gets a parameter from a user reques... Attack Vector
	CSRF	/src/Identity/Controllers/AccountsController.cs: 184	details Method PostRegisterFinish at line 184 of /src/Identity/Controllers/AccountsController.cs gets a parameter from a user request from PostRegisterFini... Attack Vector
	CSRF	/src/Identity/Controllers/AccountsController.cs: 152	details Method PostRegisterVerificationEmailClicked at line 152 of /src/Identity/Controllers/AccountsController.cs gets a parameter from a user request fro... Attack Vector
	CSRF	/src/Api/Tools/Controllers/ReportsController.cs: 150	details Method AddPasswordHealthReportApplications at line 150 of /src/Api/Tools/Controllers/ReportsController.cs gets a parameter from a user request from... Attack Vector
	CSRF	/src/Api/Tools/Controllers/ReportsController.cs: 125	details Method AddPasswordHealthReportApplication at line 125 of /src/Api/Tools/Controllers/ReportsController.cs gets a parameter from a user request from ... Attack Vector
	CSRF	/src/Api/SecretsManager/Controllers/CountsController.cs: 83	details Method GetByServiceAccountAsync at line 83 of /src/Api/SecretsManager/Controllers/CountsController.cs gets a parameter from a user request from Get... Attack Vector
	CSRF	/src/Api/SecretsManager/Controllers/CountsController.cs: 62	details Method GetByProjectAsync at line 62 of /src/Api/SecretsManager/Controllers/CountsController.cs gets a parameter from a user request from GetByProje... Attack Vector
	CSRF	/src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs: 106	details Method PreValidateSponsorshipToken at line 106 of /src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs gets a parameter from a user r... Attack Vector
	CSRF	/src/Api/Auth/Controllers/TwoFactorController.cs: 214	details Method PutOrganizationDuo at line 214 of /src/Api/Auth/Controllers/TwoFactorController.cs gets a parameter from a user request from PutOrganization... Attack Vector
	CSRF	/src/Api/Auth/Controllers/TwoFactorController.cs: 180	details Method PutDuo at line 180 of /src/Api/Auth/Controllers/TwoFactorController.cs gets a parameter from a user request from PutDuo. This parameter valu... Attack Vector
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 980	details Method SetUserVerifyDevicesAsync at line 980 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from SetUserVe... Attack Vector
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 582	details Method BulkDeleteAccount at line 582 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from ... Attack Vector

More results are available on the CxOne platform

Fixed Issues (7)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 972
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 639
	CSRF	/src/Api/Auth/Controllers/TwoFactorController.cs: 108
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 615
	SSL_Verification_Bypass	/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs: 73
	SSL_Verification_Bypass	/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs: 73
	SSL_Verification_Bypass	/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs: 73

[shane-melton]

Changes look good, but looks like we need to update CipherController tests.

[codecov]

Codecov Report

Attention: Patch coverage is 3.22581% with 30 lines in your changes missing coverage. Please review.

Project coverage is 44.22%. Comparing base (72b78ed) to head (d3152cb).
Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Api/Vault/Controllers/CiphersController.cs	3.33%	29 Missing ⚠️
...ture.Dapper/Vault/Repositories/CipherRepository.cs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4844      +/-   ##
==========================================
- Coverage   44.24%   44.22%   -0.02%     
==========================================
  Files        1492     1492              
  Lines       68841    68869      +28     
  Branches     6199     6203       +4     
==========================================
  Hits        30456    30456              
- Misses      37066    37094      +28     
  Partials     1319     1319              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[shane-melton]

Changes look good! Just two small nits on the formatting of the sproc and we'll want to update the migration script date.

[shane-melton]

⛏️ Can we fix the formatting here so that the , comes at the end of each line (to match the rest)?

[shane-melton]

⛏️ Extra whitespace we can remove

[shane-melton]

🎨 We'll want to update the date in this migration script to todays date since we already have a few others on main with a more recent date.

[shane-melton]

Thanks! Looks good to go!

[rkac-bw]

lgtm

[shane-melton]

I was looking at this again after I ran into something similar in my current work. I think we may need to tweak another sproc.

[rkac-bw]

lgtm

[Jingo88]

After speaking with product and design we have decided to move away from hiding Can Edit Except Passwords collections from the dropdown. The HidePasswords value is no longer needed.

[rkac-bw]

lgtm

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
39.9% Duplication on New Code

See analysis details on SonarQube Cloud