Fix user context on importing into individual vaults (#5465)

Pass in the current userId instead of trying to infer it from the folders or ciphers passed into the ImportCiphersCommand Kudos go to @MJebran who pointed this out on https://github.com/bitwarden/server/pull/4896 Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
2025-04-04 12:40:22 -05:00 · 2025-03-07 15:09:54 +01:00 · 2025-03-07 15:09:54 +01:00 · 34358acf61
commit 34358acf61
parent c589f9a330
5 changed files with 11 additions and 14 deletions
--- a/src/Api/Tools/Controllers/ImportCiphersController.cs
+++ b/src/Api/Tools/Controllers/ImportCiphersController.cs
@ -56,7 +56,7 @@ public class ImportCiphersController : Controller
        var userId = _userService.GetProperUserId(User).Value;
        var folders = model.Folders.Select(f => f.ToFolder(userId)).ToList();
        var ciphers = model.Ciphers.Select(c => c.ToCipherDetails(userId, false)).ToList();
-        await _importCiphersCommand.ImportIntoIndividualVaultAsync(folders, ciphers, model.FolderRelationships);
+        await _importCiphersCommand.ImportIntoIndividualVaultAsync(folders, ciphers, model.FolderRelationships, userId);
    }

    [HttpPost("import-organization")]
--- a/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
+++ b/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
@ -54,12 +54,11 @@ public class ImportCiphersCommand : IImportCiphersCommand
    public async Task ImportIntoIndividualVaultAsync(
        List<Folder> folders,
        List<CipherDetails> ciphers,
-        IEnumerable<KeyValuePair<int, int>> folderRelationships)
+        IEnumerable<KeyValuePair<int, int>> folderRelationships,
+        Guid importingUserId)
    {
-        var userId = folders.FirstOrDefault()?.UserId ?? ciphers.FirstOrDefault()?.UserId;
-
        // Make sure the user can save new ciphers to their personal vault
-        var anyPersonalOwnershipPolicies = await _policyService.AnyPoliciesApplicableToUserAsync(userId.Value, PolicyType.PersonalOwnership);
+        var anyPersonalOwnershipPolicies = await _policyService.AnyPoliciesApplicableToUserAsync(importingUserId, PolicyType.PersonalOwnership);
        if (anyPersonalOwnershipPolicies)
        {
            throw new BadRequestException("You cannot import items into your personal vault because you are " +
@ -76,7 +75,7 @@ public class ImportCiphersCommand : IImportCiphersCommand
            }
        }

-        var userfoldersIds = (await _folderRepository.GetManyByUserIdAsync(userId ?? Guid.Empty)).Select(f => f.Id).ToList();
+        var userfoldersIds = (await _folderRepository.GetManyByUserIdAsync(importingUserId)).Select(f => f.Id).ToList();

        //Assign id to the ones that don't exist in DB
        //Need to keep the list order to create the relationships
@ -109,10 +108,7 @@ public class ImportCiphersCommand : IImportCiphersCommand
        await _cipherRepository.CreateAsync(ciphers, newFolders);

        // push
-        if (userId.HasValue)
-        {
-            await _pushService.PushSyncVaultAsync(userId.Value);
-        }
+        await _pushService.PushSyncVaultAsync(importingUserId);
    }

    public async Task ImportIntoOrganizationalVaultAsync(
--- a/src/Core/Tools/ImportFeatures/Interfaces/IImportCiphersCommand.cs
+++ b/src/Core/Tools/ImportFeatures/Interfaces/IImportCiphersCommand.cs
@ -7,7 +7,7 @@ namespace Bit.Core.Tools.ImportFeatures.Interfaces;
 public interface IImportCiphersCommand
 {
    Task ImportIntoIndividualVaultAsync(List<Folder> folders, List<CipherDetails> ciphers,
-        IEnumerable<KeyValuePair<int, int>> folderRelationships);
+        IEnumerable<KeyValuePair<int, int>> folderRelationships, Guid importingUserId);

    Task ImportIntoOrganizationalVaultAsync(List<Collection> collections, List<CipherDetails> ciphers,
        IEnumerable<KeyValuePair<int, int>> collectionRelationships, Guid importingUserId);
--- a/test/Api.Test/Tools/Controllers/ImportCiphersControllerTests.cs
+++ b/test/Api.Test/Tools/Controllers/ImportCiphersControllerTests.cs
@ -79,7 +79,8 @@ public class ImportCiphersControllerTests
            .ImportIntoIndividualVaultAsync(
            Arg.Any<List<Folder>>(),
            Arg.Any<List<CipherDetails>>(),
-            Arg.Any<IEnumerable<KeyValuePair<int, int>>>()
+            Arg.Any<IEnumerable<KeyValuePair<int, int>>>(),
+            user.Id
            );
    }

--- a/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs
+++ b/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs
@ -44,7 +44,7 @@ public class ImportCiphersAsyncCommandTests
        var folderRelationships = new List<KeyValuePair<int, int>>();

        // Act
-        await sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships);
+        await sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships, importingUserId);

        // Assert
        await sutProvider.GetDependency<ICipherRepository>().Received(1).CreateAsync(ciphers, Arg.Any<List<Folder>>());
@ -68,7 +68,7 @@ public class ImportCiphersAsyncCommandTests
        var folderRelationships = new List<KeyValuePair<int, int>>();

        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
-            sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships));
+            sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships, userId));

        Assert.Equal("You cannot import items into your personal vault because you are a member of an organization which forbids it.", exception.Message);
    }