diff --git a/src/Core/Services/Implementations/CipherService.cs b/src/Core/Services/Implementations/CipherService.cs index 318bac4c56..3e22f6ddf0 100644 --- a/src/Core/Services/Implementations/CipherService.cs +++ b/src/Core/Services/Implementations/CipherService.cs @@ -686,6 +686,30 @@ namespace Bit.Core.Services List ciphers, IEnumerable> folderRelationships) { + var userId = folders.FirstOrDefault()?.UserId ?? ciphers.FirstOrDefault()?.UserId; + + // Check user is allowed to import to personal vault + if (userId.HasValue) + { + var policies = await _policyRepository.GetManyByUserIdAsync(userId.Value); + var allOrgUsers = await _organizationUserRepository.GetManyByUserAsync(userId.Value); + + var orgsWithBlockingPolicy = policies + .Where(p => p.Enabled && p.Type == PolicyType.PersonalOwnership) + .Select(p => p.OrganizationId); + var blockedByPolicy = allOrgUsers.Any(ou => + ou.Type != OrganizationUserType.Owner && + ou.Type != OrganizationUserType.Admin && + ou.Status != OrganizationUserStatusType.Invited && + orgsWithBlockingPolicy.Contains(ou.OrganizationId)); + + if (blockedByPolicy) + { + throw new BadRequestException("You cannot import items into your personal vault because you are " + + "a member of an organization which forbids it."); + } + } + foreach (var cipher in ciphers) { cipher.SetNewId(); @@ -721,7 +745,6 @@ namespace Bit.Core.Services await _cipherRepository.CreateAsync(ciphers, folders); // push - var userId = folders.FirstOrDefault()?.UserId ?? ciphers.FirstOrDefault()?.UserId; if (userId.HasValue) { await _pushService.PushSyncVaultAsync(userId.Value);