add tests

src/Core/Vault/Services/Implementations/CipherService.cs

@@ -993,14 +993,12 @@ public class CipherService : ICipherService
             {
                 throw new BadRequestException("You do not have permission to add cipher key encryption.");
             }
-            if (existingCipherData?.Fields != null && newCipherData?.Fields != null)
+            if (newCipherData?.Fields != null)
             {
                 // Keep only non-hidden fields from the new cipher
                 var nonHiddenFields = newCipherData.Fields.Where(f => f.Type != FieldType.Hidden).ToList();
-
                 // Get hidden fields from the existing cipher
-                var hiddenFields = existingCipherData.Fields.Where(f => f.Type == FieldType.Hidden);
-
+                var hiddenFields = existingCipherData.Fields?.Where(f => f.Type == FieldType.Hidden) ?? [];
                 // Replace the hidden fields in new cipher data with the existing ones
                 newCipherData.Fields = nonHiddenFields.Concat(hiddenFields);
                 cipher.Data = JsonSerializer.Serialize(newCipherData);

test/Core.Test/Vault/Services/CipherServiceTests.cs

@@ -813,7 +813,8 @@ public class CipherServiceTests
         bool editPermission,
         string? key = null,
         string? totp = null,
-        CipherLoginFido2CredentialData[]? passkeys = null
+        CipherLoginFido2CredentialData[]? passkeys = null,
+        CipherFieldData[]? fields = null
         )
     {
         var cipherDetails = new CipherDetails
@@ -826,7 +827,7 @@ public class CipherServiceTests
             Key = key,
         };
 
-        var newLoginData = new CipherLoginData { Username = "user", Password = newPassword, Totp = totp, Fido2Credentials = passkeys };
+        var newLoginData = new CipherLoginData { Username = "user", Password = newPassword, Totp = totp, Fido2Credentials = passkeys, Fields = fields };
         cipherDetails.Data = JsonSerializer.Serialize(newLoginData);
 
         var existingCipher = new Cipher
@@ -1027,6 +1028,56 @@ public class CipherServiceTests
         Assert.Equal(passkeys.Length, updatedLoginData.Fido2Credentials.Length);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task SaveDetailsAsync_HiddenFieldsChangedWithoutPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: false, editPermission: false, fields:
+        [
+            new CipherFieldData
+            {
+                Name = "FieldName",
+                Value = "FieldValue",
+                Type = FieldType.Hidden,
+            }
+        ]);
+
+        await deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true);
+
+        var updatedLoginData = JsonSerializer.Deserialize<CipherLoginData>(deps.CipherDetails.Data);
+        Assert.Empty(updatedLoginData.Fields);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SaveDetailsAsync_HiddenFieldsChangedWithPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: true, editPermission: true, fields:
+        [
+            new CipherFieldData
+            {
+                Name = "FieldName",
+                Value = "FieldValue",
+                Type = FieldType.Hidden,
+            }
+        ]);
+
+        await deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true);
+
+        var updatedLoginData = JsonSerializer.Deserialize<CipherLoginData>(deps.CipherDetails.Data);
+        Assert.Single(updatedLoginData.Fields.ToArray());
+    }
+
     [Theory]
     [BitAutoData]
     public async Task DeleteAsync_WithPersonalCipherOwner_DeletesCipher(