permission checks for cipher crud operations

src/Core/Repositories/ISubvaultUserRepository.cs

@@ -12,5 +12,6 @@ namespace Bit.Core.Repositories
         Task<ICollection<SubvaultUserDetails>> GetManyDetailsByUserIdAsync(Guid userId);
         Task<ICollection<SubvaultUserPermissions>> GetPermissionsByUserIdAsync(Guid userId, IEnumerable<Guid> subvaultIds,
             Guid organizationId);
+        Task<bool> GetIsAdminByUserIdCipherIdAsync(Guid userId, Guid cipherId);
     }
 }

src/Core/Repositories/SqlServer/SubvaultUserRepository.cs

@@ -60,5 +60,18 @@ namespace Bit.Core.Repositories.SqlServer
                 return results.ToList();
             }
         }
+
+        public async Task<bool> GetIsAdminByUserIdCipherIdAsync(Guid userId, Guid cipherId)
+        {
+            using(var connection = new SqlConnection(ConnectionString))
+            {
+                var result = await connection.QueryFirstOrDefaultAsync<bool>(
+                    $"[{Schema}].[SubvaultUser_ReadIsAdminByCipherIdUserId]",
+                    new { UserId = userId, CipherId = cipherId },
+                    commandType: CommandType.StoredProcedure);
+
+                return result;
+            }
+        }
     }
 }

src/Core/Services/ICipherService.cs

@@ -8,8 +8,8 @@ namespace Bit.Core.Services
 {
     public interface ICipherService
     {
-        Task SaveAsync(CipherDetails cipher);
-        Task DeleteAsync(Cipher cipher);
+        Task SaveAsync(CipherDetails cipher, Guid savingUserId);
+        Task DeleteAsync(CipherDetails cipher, Guid deletingUserId);
         Task SaveFolderAsync(Folder folder);
         Task DeleteFolderAsync(Folder folder);
         Task MoveSubvaultAsync(Cipher cipher, IEnumerable<Guid> subvaultIds, Guid userId);

src/Core/Services/Implementations/CipherService.cs

@@ -37,8 +37,14 @@ namespace Bit.Core.Services
             _pushService = pushService;
         }
 
-        public async Task SaveAsync(CipherDetails cipher)
+        public async Task SaveAsync(CipherDetails cipher, Guid savingUserId)
         {
+            if(!(await UserHasAdminRights(cipher, savingUserId)))
+            {
+                throw new BadRequestException("Not an admin.");
+            }
+
+            cipher.UserId = savingUserId;
             if(cipher.Id == default(Guid))
             {
                 await _cipherRepository.CreateAsync(cipher);
@@ -56,8 +62,13 @@ namespace Bit.Core.Services
             }
         }
 
-        public async Task DeleteAsync(Cipher cipher)
+        public async Task DeleteAsync(CipherDetails cipher, Guid deletingUserId)
         {
+            if(!(await UserHasAdminRights(cipher, deletingUserId)))
+            {
+                throw new BadRequestException("Not an admin.");
+            }
+
             await _cipherRepository.DeleteAsync(cipher);
 
             // push
@@ -151,5 +162,15 @@ namespace Bit.Core.Services
                 await _pushService.PushSyncCiphersAsync(userId.Value);
             }
         }
+
+        private async Task<bool> UserHasAdminRights(CipherDetails cipher, Guid userId)
+        {
+            if(!cipher.OrganizationId.HasValue && cipher.UserId.HasValue && cipher.UserId.Value == userId)
+            {
+                return true;
+            }
+
+            return await _subvaultUserRepository.GetIsAdminByUserIdCipherIdAsync(userId, cipher.Id);
+        }
     }
 }