From 431df0fcd985325d6d8d5e5aca08f5f00c9bfbf5 Mon Sep 17 00:00:00 2001
From: Richy <mail@richy.sh>
Date: Thu, 3 Jul 2025 12:45:51 +0200
Subject: [PATCH] fix: resolve group permission conflicts with multiple groups

When a user belonged to multiple groups with different permissions for the
same collection, only the permissions from one group were applied instead
of combining them properly. This caused users to see incorrect access levels
when initially viewing collection items.

The fix combines permissions from all user groups by taking the most
permissive settings:
- read_only: false if ANY group allows write access
- hide_passwords: false if ANY group allows password viewing
- manage: true if ANY group allows management

This ensures users immediately see the correct permissions when opening
collection entries, matching the behavior after editing and saving.
---
 src/api/core/ciphers.rs | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs
index aecbe28a..b4a8e0ab 100644
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -1924,11 +1924,24 @@ impl CipherSyncData {
 
         // Generate a HashMap with the collections_uuid as key and the CollectionGroup record
         let user_collections_groups: HashMap<CollectionId, CollectionGroup> = if CONFIG.org_groups_enabled() {
-            CollectionGroup::find_by_user(user_id, conn)
-                .await
-                .into_iter()
-                .map(|collection_group| (collection_group.collections_uuid.clone(), collection_group))
-                .collect()
+            let all_user_collection_groups = CollectionGroup::find_by_user(user_id, conn).await;
+            let mut combined_permissions: HashMap<CollectionId, CollectionGroup> = HashMap::new();
+
+            for cg in all_user_collection_groups {
+                match combined_permissions.get_mut(&cg.collections_uuid) {
+                    Some(existing) => {
+                        // Combine permissions by taking the most permissive settings
+                        existing.read_only = existing.read_only && cg.read_only; // false if ANY group allows write
+                        existing.hide_passwords = existing.hide_passwords && cg.hide_passwords; // false if ANY group allows password view
+                        existing.manage = existing.manage || cg.manage; // true if ANY group allows manage
+                    }
+                    None => {
+                        // First group for this collection
+                        combined_permissions.insert(cg.collections_uuid.clone(), cg);
+                    }
+                }
+            }
+            combined_permissions
         } else {
             HashMap::new()
         };