From 043de76aa83cac7916b700b24289412bd1418ca7 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Mon, 18 Dec 2017 10:41:44 -0500
Subject: [PATCH] make sure user has access to cipher

---
 src/Api/Controllers/EventsController.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Api/Controllers/EventsController.cs b/src/Api/Controllers/EventsController.cs
index 4c0120f491..d8aa81083b 100644
--- a/src/Api/Controllers/EventsController.cs
+++ b/src/Api/Controllers/EventsController.cs
@@ -54,7 +54,7 @@ namespace Bit.Api.Controllers
         {
             var userId = _userService.GetProperUserId(User).Value;
             var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
-            if(cipher == null ||
+            if(cipher == null || (cipher.UserId.HasValue && userId != cipher.UserId) ||
                 (cipher.OrganizationId.HasValue && !_currentContext.OrganizationAdmin(cipher.OrganizationId.Value)))
             {
                 throw new NotFoundException();