Apply ACL rules to password history, and treat "hidden" custom fields as secrets

ACL applies to password history and hidden fields.

  • ACL rule “Hide Passwords” should also apply to password history for entries.
  • Hidden custom fields should be treated as secrets similarly as passwords and TOTP seeds, and prevent users from viewing or also changing data held in secrets.

Feature function

  • Prevent hidden fields from being edited and easily viewed when organization specifies Hide Passwords ACL for a user and a collection.

Related topics + references

While I understand passwords and other sensitive data may be able to be extracted by power users with a multitude of methods and thus should still be shared only with those one may trust, this will still prevent easy access of hidden items by standard users from directly within the Bitwarden client.

Hidden items are intended to remain hidden from easy view.

  • Hidden: Field value stores freeform input that is hidden from view (particularly useful for Organizations using the Hide Password access control).

ACL page describes hidden fields as being akin to other hidden items such as passwords and TOTP seeds. So it may make more sense to also not allow editing of hidden fields when Hide Passwords is enabled similar to how passwords and TOTP seeds cannot be viewed OR edited.
User Types and Access Control | Bitwarden Help & Support

Currently with Hide Passwords enabled, a user can not view hidden items but still is able to edit them.

Github Issue with further details

Was unsure if this was more of a Github issue, or needed to be a feature add to change the way this is handled.