[SM-579] Prevent creating secrets not attached to projects (#2754)

* Prevent creating secrets not attached to projects, and prevent updating secrets to remove project relation * Fix test
2025-07-03 00:52:49 -05:00 · 2023-03-07 10:13:49 +01:00
parent 14c8edfcb7
commit 2c8f23ec9b
3 changed files with 15 additions and 2 deletions
--- a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/CreateSecretCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/CreateSecretCommand.cs
@ -26,10 +26,15 @@ public class CreateSecretCommand : ICreateSecretCommand
        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
        var project = secret.Projects?.FirstOrDefault();

+        if (project == null)
+        {
+            throw new NotFoundException();
+        }
+
        var hasAccess = accessClient switch
        {
            AccessClientType.NoAccessCheck => true,
-            AccessClientType.User => project != null && await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
+            AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
            _ => false,
        };

--- a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs
@ -33,6 +33,11 @@ public class UpdateSecretCommand : IUpdateSecretCommand

        var project = updatedSecret.Projects?.FirstOrDefault();

+        if (secret.Projects != null && secret.Projects.Any() && project == null)
+        {
+            throw new NotFoundException();
+        }
+
        var hasAccess = accessClient switch
        {
            AccessClientType.NoAccessCheck => true,