From 53936e1809f23d4a1986c48bb5510ddafc1039fa Mon Sep 17 00:00:00 2001
From: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com>
Date: Wed, 19 Mar 2025 14:21:38 -0400
Subject: [PATCH] fixing vulnerability on soft delete

---
 src/Api/Vault/Controllers/CiphersController.cs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/Api/Vault/Controllers/CiphersController.cs b/src/Api/Vault/Controllers/CiphersController.cs
index f1087ff965..7ce6994456 100644
--- a/src/Api/Vault/Controllers/CiphersController.cs
+++ b/src/Api/Vault/Controllers/CiphersController.cs
@@ -709,11 +709,9 @@ public class CiphersController : Controller
     public async Task Delete(Guid id)
     {
         var userId = _userService.GetProperUserId(User).Value;
-        var user = await _userService.GetUserByIdAsync(userId);
         var cipher = await GetByIdAsync(id, userId);
-        var canDelete = NormalCipherPermissions.CanDelete(user, cipher, null);
 
-        if (cipher == null || !canDelete)
+        if (cipher == null)
         {
             throw new NotFoundException();
         }
@@ -782,7 +780,11 @@ public class CiphersController : Controller
     {
         var userId = _userService.GetProperUserId(User).Value;
         var cipher = await GetByIdAsync(id, userId);
-        if (cipher == null)
+        var user = await _userService.GetUserByIdAsync(userId);
+        var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(cipher.OrganizationId.Value); //Clean thi sup later
+        var canDelete = NormalCipherPermissions.CanDelete(user, cipher, orgAbility);
+
+        if (cipher == null || !canDelete)
         {
             throw new NotFoundException();
         }