nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 05:00:19 -05:00
Code

fixing vulnerability on soft delete

Browse Source
This commit is contained in:
cd-bitwarden 2025-03-19 14:21:38 -04:00
parent 6858aa31d7
commit 53936e1809
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/Api/Vault/Controllers/CiphersController.cs
View File

@ -709,11 +709,9 @@ public class CiphersController : Controller
public async Task Delete(Guid id) public async Task Delete(Guid id)
{ {
var userId = _userService.GetProperUserId(User).Value; var userId = _userService.GetProperUserId(User).Value;
var user = await _userService.GetUserByIdAsync(userId);
var cipher = await GetByIdAsync(id, userId); var cipher = await GetByIdAsync(id, userId);
var canDelete = NormalCipherPermissions.CanDelete(user, cipher, null);
if (cipher == null || !canDelete) if (cipher == null)
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -782,7 +780,11 @@ public class CiphersController : Controller
{ {
var userId = _userService.GetProperUserId(User).Value; var userId = _userService.GetProperUserId(User).Value;
var cipher = await GetByIdAsync(id, userId); var cipher = await GetByIdAsync(id, userId);
if (cipher == null) var user = await _userService.GetUserByIdAsync(userId);
var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(cipher.OrganizationId.Value); //Clean thi sup later
var canDelete = NormalCipherPermissions.CanDelete(user, cipher, orgAbility);
if (cipher == null || !canDelete)
{ {
throw new NotFoundException(); throw new NotFoundException();
} }