[SM-577] - ACCESS POLICY fixing issue with user being able to update a secret if they are assi… (#2763)

* fixing issue with user being able to update a secret if they are assigning it to a project that has read/write permissions. Even though the customer is only allowed to read. * Add additional check for newly assigned project access and original project access. * fixing Lint issue * Fixing tests * uneeded param removed * Updating to extract logic into function * renaming function * lint fixes * renaming function
2025-07-03 00:52:49 -05:00 · 2023-03-07 13:22:03 -05:00
parent 48ae4a2e92
commit 7334de636b
2 changed files with 19 additions and 16 deletions
--- a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs
@ -31,21 +31,7 @@ public class UpdateSecretCommand : IUpdateSecretCommand
        var orgAdmin = await _currentContext.OrganizationAdmin(secret.OrganizationId);
        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);

-        var project = updatedSecret.Projects?.FirstOrDefault();
-
-        if (secret.Projects != null && secret.Projects.Any() && project == null)
-        {
-            throw new NotFoundException();
-        }
-
-        var hasAccess = accessClient switch
-        {
-            AccessClientType.NoAccessCheck => true,
-            AccessClientType.User => project != null && await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
-            _ => false,
-        };
-
-        if (!hasAccess)
+        if (!await HasAccessToOriginalAndUpdatedProject(accessClient, secret, updatedSecret, userId))
        {
            throw new NotFoundException();
        }
@ -59,4 +45,21 @@ public class UpdateSecretCommand : IUpdateSecretCommand
        await _secretRepository.UpdateAsync(secret);
        return secret;
    }
+
+    public async Task<bool> HasAccessToOriginalAndUpdatedProject(AccessClientType accessClient, Secret secret, Secret updatedSecret, Guid userId)
+    {
+        switch (accessClient)
+        {
+            case AccessClientType.NoAccessCheck:
+                return true;
+            case AccessClientType.User:
+                var oldProject = secret.Projects?.FirstOrDefault();
+                var newProject = updatedSecret.Projects?.FirstOrDefault();
+                var accessToOld = oldProject != null && await _projectRepository.UserHasWriteAccessToProject(oldProject.Id, userId);
+                var accessToNew = newProject != null && await _projectRepository.UserHasWriteAccessToProject(newProject.Id, userId);
+                return accessToOld && accessToNew;
+            default:
+                return false;
+        }
+    }
 }