From 0816c609dbce9df9321be562bc2e06f89d742cce Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Thu, 23 Aug 2018 23:04:44 -0400
Subject: [PATCH] check user access permissions on collections edit

---
 src/Api/Controllers/CiphersController.cs           | 1 -
 src/Core/Services/Implementations/CipherService.cs | 4 ++++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Api/Controllers/CiphersController.cs b/src/Api/Controllers/CiphersController.cs
index 1b853295e7..ce1bf18672 100644
--- a/src/Api/Controllers/CiphersController.cs
+++ b/src/Api/Controllers/CiphersController.cs
@@ -10,7 +10,6 @@ using Bit.Core.Services;
 using Bit.Core;
 using Bit.Api.Utilities;
 using Bit.Core.Utilities;
-using Core.Models.Data;
 using System.Collections.Generic;
 using Bit.Core.Models.Table;
 
diff --git a/src/Core/Services/Implementations/CipherService.cs b/src/Core/Services/Implementations/CipherService.cs
index 040317f354..88fa19b2b8 100644
--- a/src/Core/Services/Implementations/CipherService.cs
+++ b/src/Core/Services/Implementations/CipherService.cs
@@ -478,6 +478,10 @@ namespace Bit.Core.Services
             }
             else
             {
+                if(!(await UserCanEditAsync(cipher, savingUserId)))
+                {
+                    throw new BadRequestException("You do not have permissions to edit this.");
+                }
                 await _collectionCipherRepository.UpdateCollectionsAsync(cipher.Id, savingUserId, collectionIds);
             }