permission checks for cipher crud operations

2025-07-02 00:22:50 -05:00 · 2017-03-24 09:27:15 -04:00
parent 0dae19bd4f
commit 10c72fafda
10 changed files with 78 additions and 11 deletions
--- a/src/Core/Services/ICipherService.cs
+++ b/src/Core/Services/ICipherService.cs
@ -8,8 +8,8 @@ namespace Bit.Core.Services
 {
    public interface ICipherService
    {
-        Task SaveAsync(CipherDetails cipher);
-        Task DeleteAsync(Cipher cipher);
+        Task SaveAsync(CipherDetails cipher, Guid savingUserId);
+        Task DeleteAsync(CipherDetails cipher, Guid deletingUserId);
        Task SaveFolderAsync(Folder folder);
        Task DeleteFolderAsync(Folder folder);
        Task MoveSubvaultAsync(Cipher cipher, IEnumerable<Guid> subvaultIds, Guid userId);
--- a/src/Core/Services/Implementations/CipherService.cs
+++ b/src/Core/Services/Implementations/CipherService.cs
@ -37,8 +37,14 @@ namespace Bit.Core.Services
            _pushService = pushService;
        }

-        public async Task SaveAsync(CipherDetails cipher)
+        public async Task SaveAsync(CipherDetails cipher, Guid savingUserId)
        {
+            if(!(await UserHasAdminRights(cipher, savingUserId)))
+            {
+                throw new BadRequestException("Not an admin.");
+            }
+
+            cipher.UserId = savingUserId;
            if(cipher.Id == default(Guid))
            {
                await _cipherRepository.CreateAsync(cipher);
@ -56,8 +62,13 @@ namespace Bit.Core.Services
            }
        }

-        public async Task DeleteAsync(Cipher cipher)
+        public async Task DeleteAsync(CipherDetails cipher, Guid deletingUserId)
        {
+            if(!(await UserHasAdminRights(cipher, deletingUserId)))
+            {
+                throw new BadRequestException("Not an admin.");
+            }
+
            await _cipherRepository.DeleteAsync(cipher);

            // push
@ -151,5 +162,15 @@ namespace Bit.Core.Services
                await _pushService.PushSyncCiphersAsync(userId.Value);
            }
        }
+
+        private async Task<bool> UserHasAdminRights(CipherDetails cipher, Guid userId)
+        {
+            if(!cipher.OrganizationId.HasValue && cipher.UserId.HasValue && cipher.UserId.Value == userId)
+            {
+                return true;
+            }
+
+            return await _subvaultUserRepository.GetIsAdminByUserIdCipherIdAsync(userId, cipher.Id);
+        }
    }
 }