Fix conflict resolution logic for read_only and hide_passwords flags

[jjlin]

For one of these flags to be in effect for a cipher, upstream requires all of
(rather than any of) the collections the cipher is in to have that flag set.

Also, some of the logic for loading access restrictions was wrong. I think
that only malicious clients that also had knowledge of the UUIDs of ciphers
they didn't have access to would have been able to take advantage of that.

Fixes #2072.

[perkons]

Thank you very much for the very fast fix and for your work! It is working now as expected.

One issue/exploit that I found now is that a user with "Hide Passwords" permissions in a collection can add an item from this collection to another collection with no "Hide Passwords" permissions and remove it from the one where he has "Hide Passwords". After that is done the user can view the password. So the "Hide Passwords" option becomes useless if not used together with "Read Only".

I personally think that the best solution here would be to limit permissions on a collection that has "Hide Passwords". I think the best solution that I can think of is to remove the Collections option under the Cog symbol when "Hide Passwords" is checked. So "Hide Passwords" would forbid the removal from items from the collection. If a feature request is needed I can create one, but I think that this can maybe be considered to be a bug?

I am Using vaultwarden/server:testing-alpine@sha256:3f9d68af0d3b86b941a1bbdb77b27e61188adfcfadc09b2d6aeca67ce923a84f

[jjlin]

One issue/exploit that I found now is that a user with "Hide Passwords" permissions in a collection can add an item from this collection to another collection with no "Hide Passwords" permissions and remove it from the one where he has "Hide Passwords". After that is done the user can view the password. So the "Hide Passwords" option becomes useless if not used together with "Read Only".

"Hide Passwords" is only intended to act as a hurdle for typical, unsophisticated users, not "clever" ones. Given it's only enforced on the client side, it's easy to disable for someone who knows what they're doing, especially in the web vault.

I personally think that the best solution here would be to limit permissions on a collection that has "Hide Passwords". I think the best solution that I can think of is to remove the Collections option under the Cog symbol when "Hide Passwords" is checked. So "Hide Passwords" would forbid the removal from items from the collection. If a feature request is needed I can create one, but I think that this can maybe be considered to be a bug?

Vaultwarden doesn't implement custom client-side features, so you would have to make your case with upstream Bitwarden at https://community.bitwarden.com/c/feature-requests/5/.