diff --git a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs index c7f6a9c52e..1d55114442 100644 --- a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs +++ b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs @@ -31,21 +31,7 @@ public class UpdateSecretCommand : IUpdateSecretCommand var orgAdmin = await _currentContext.OrganizationAdmin(secret.OrganizationId); var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin); - var project = updatedSecret.Projects?.FirstOrDefault(); - - if (secret.Projects != null && secret.Projects.Any() && project == null) - { - throw new NotFoundException(); - } - - var hasAccess = accessClient switch - { - AccessClientType.NoAccessCheck => true, - AccessClientType.User => project != null && await _projectRepository.UserHasWriteAccessToProject(project.Id, userId), - _ => false, - }; - - if (!hasAccess) + if (!await HasAccessToOriginalAndUpdatedProject(accessClient, secret, updatedSecret, userId)) { throw new NotFoundException(); } @@ -59,4 +45,21 @@ public class UpdateSecretCommand : IUpdateSecretCommand await _secretRepository.UpdateAsync(secret); return secret; } + + public async Task HasAccessToOriginalAndUpdatedProject(AccessClientType accessClient, Secret secret, Secret updatedSecret, Guid userId) + { + switch (accessClient) + { + case AccessClientType.NoAccessCheck: + return true; + case AccessClientType.User: + var oldProject = secret.Projects?.FirstOrDefault(); + var newProject = updatedSecret.Projects?.FirstOrDefault(); + var accessToOld = oldProject != null && await _projectRepository.UserHasWriteAccessToProject(oldProject.Id, userId); + var accessToNew = newProject != null && await _projectRepository.UserHasWriteAccessToProject(newProject.Id, userId); + return accessToOld && accessToNew; + default: + return false; + } + } } diff --git a/bitwarden_license/test/Commercial.Core.Test/SecretsManager/Secrets/UpdateSecretCommandTests.cs b/bitwarden_license/test/Commercial.Core.Test/SecretsManager/Secrets/UpdateSecretCommandTests.cs index faa6e7ec5e..5fe37c6974 100644 --- a/bitwarden_license/test/Commercial.Core.Test/SecretsManager/Secrets/UpdateSecretCommandTests.cs +++ b/bitwarden_license/test/Commercial.Core.Test/SecretsManager/Secrets/UpdateSecretCommandTests.cs @@ -34,6 +34,7 @@ public class UpdateSecretCommandTests public async Task UpdateAsync_Success(PermissionType permissionType, Secret data, SutProvider sutProvider, Guid userId, Project mockProject) { sutProvider.GetDependency().AccessSecretsManager(data.OrganizationId).Returns(true); + data.Projects = new List() { mockProject }; if (permissionType == PermissionType.RunAsAdmin) { @@ -41,7 +42,6 @@ public class UpdateSecretCommandTests } else { - data.Projects = new List() { mockProject }; sutProvider.GetDependency().OrganizationAdmin(data.OrganizationId).Returns(false); sutProvider.GetDependency().UserHasWriteAccessToProject((Guid)(data.Projects?.First().Id), userId).Returns(true); }