From 1d8a0accf37219d102255307677c3c24765c756b Mon Sep 17 00:00:00 2001 From: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com> Date: Wed, 19 Mar 2025 14:57:50 -0400 Subject: [PATCH] updating both delete methods to check permissions --- .../Vault/Controllers/CiphersController.cs | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/Api/Vault/Controllers/CiphersController.cs b/src/Api/Vault/Controllers/CiphersController.cs index 7ce6994456..7fc4915f52 100644 --- a/src/Api/Vault/Controllers/CiphersController.cs +++ b/src/Api/Vault/Controllers/CiphersController.cs @@ -710,8 +710,18 @@ public class CiphersController : Controller { var userId = _userService.GetProperUserId(User).Value; var cipher = await GetByIdAsync(id, userId); + var user = await _userService.GetUserByIdAsync(userId); - if (cipher == null) + OrganizationAbility orgAbility = null; + + if (cipher.OrganizationId.HasValue) + { + orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync((Guid)cipher.OrganizationId); + } + + var canDelete = NormalCipherPermissions.CanDelete(user, cipher, orgAbility); + + if (cipher == null || !canDelete) { throw new NotFoundException(); } @@ -781,7 +791,14 @@ public class CiphersController : Controller var userId = _userService.GetProperUserId(User).Value; var cipher = await GetByIdAsync(id, userId); var user = await _userService.GetUserByIdAsync(userId); - var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(cipher.OrganizationId.Value); //Clean thi sup later + + OrganizationAbility orgAbility = null; + + if (cipher.OrganizationId.HasValue) + { + orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync((Guid)cipher.OrganizationId); + } + var canDelete = NormalCipherPermissions.CanDelete(user, cipher, orgAbility); if (cipher == null || !canDelete)