user checks on read procs

src/Api/Controllers/CiphersController.cs

@@ -90,10 +90,10 @@ namespace Bit.Api.Controllers
 
         [HttpPut("{id}/move")]
         [HttpPost("{id}/move")]
-        public async Task PostMoveSubvault(string id, [FromBody]CipherMoveRequestModel model)
+        public async Task PostMove(string id, [FromBody]CipherMoveRequestModel model)
         {
             var userId = _userService.GetProperUserId(User).Value;
-            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id));
+            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
             if(cipher == null)
             {
                 throw new NotFoundException();
@@ -107,7 +107,8 @@ namespace Bit.Api.Controllers
         [HttpPost("{id}/delete")]
         public async Task Delete(string id)
         {
-            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), _userService.GetProperUserId(User).Value);
+            var userId = _userService.GetProperUserId(User).Value;
+            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
             if(cipher == null)
             {
                 throw new NotFoundException();

src/Core/Repositories/SqlServer/CipherRepository.cs

@@ -28,11 +28,11 @@ namespace Bit.Core.Repositories.SqlServer
             using(var connection = new SqlConnection(ConnectionString))
             {
                 var results = await connection.QueryAsync<CipherDetails>(
-                    $"[{Schema}].[CipherDetails_ReadById]",
+                    $"[{Schema}].[CipherDetails_ReadByIdUserId]",
-                    new { Id = id },
+                    new { Id = id, UserId = userId },
                     commandType: CommandType.StoredProcedure);
 
-                return results.FirstOrDefault(c => c.UserId == userId);
+                return results.FirstOrDefault();
             }
         }
 

src/Core/Services/Implementations/CipherService.cs

@@ -103,12 +103,6 @@ namespace Bit.Core.Services
                 throw new BadRequestException(nameof(cipher.OrganizationId));
             }
 
-            var existingCipher = await _cipherRepository.GetByIdAsync(cipher.Id);
-            if(existingCipher == null || (existingCipher.UserId.HasValue && existingCipher.UserId != userId))
-            {
-                throw new NotFoundException();
-            }
-
             var subvaultUserDetails = await _subvaultUserRepository.GetPermissionsByUserIdAsync(userId, subvaultIds,
                 cipher.OrganizationId.Value);
 
@@ -117,7 +111,7 @@ namespace Bit.Core.Services
             await _cipherRepository.ReplaceAsync(cipher, subvaultUserDetails.Where(s => s.Admin).Select(s => s.SubvaultId));
 
             // push
-            await _pushService.PushSyncCipherUpdateAsync(cipher);
+            //await _pushService.PushSyncCipherUpdateAsync(cipher);
         }
 
         public async Task ImportCiphersAsync(

src/Sql/Sql.sqlproj

@@ -172,5 +172,6 @@
     <Build Include="dbo\Stored Procedures\SubvaultUser_ReadPermissionsBySubvaultUserId.sql" />
     <Build Include="dbo\UserDefinedTypes\GuidIdArray.sql" />
     <Build Include="dbo\Stored Procedures\Cipher_UpdateWithSubvaults.sql" />
+    <Build Include="dbo\Stored Procedures\CipherDetails_ReadByIdUserId.sql" />
   </ItemGroup>
 </Project>

src/Sql/dbo/Stored Procedures/CipherDetails_ReadByIdUserId.sql

@@ -0,0 +1,24 @@
+CREATE PROCEDURE [dbo].[CipherDetails_ReadByIdUserId]
+    @Id UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT DISTINCT
+        C.*
+    FROM
+        [dbo].[CipherDetailsView] C
+    LEFT JOIN
+        [dbo].[SubvaultCipher] SC ON SC.[CipherId] = C.[Id]
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
+    LEFT JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
+    WHERE
+        C.Id = @Id
+        AND (
+            (C.[UserId] IS NOT NULL AND C.[UserId] = @UserId)
+            OR (OU.[UserId] = @UserId AND OU.[Status] = 2) -- 2 = Confirmed
+        )
+END

src/Sql/dbo/Stored Procedures/CipherDetails_ReadByTypeUserId.sql

@@ -5,11 +5,20 @@ AS
 BEGIN
     SET NOCOUNT ON
 
-    SELECT
+    SELECT DISTINCT
-        *
+        C.*
     FROM
-        [dbo].[CipherDetailsView]
+        [dbo].[CipherDetailsView] C
+    LEFT JOIN
+        [dbo].[SubvaultCipher] SC ON SC.[CipherId] = C.[Id]
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
+    LEFT JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
     WHERE
-        [Type] = @Type
+        C.[Type] = @Type
-        AND [UserId] = @UserId
+        AND (
+            (C.[UserId] IS NOT NULL AND C.[UserId] = @UserId)
+            OR (OU.[UserId] = @UserId AND OU.[Status] = 2) -- 2 = Confirmed
+        )
 END

src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserId.sql

@@ -16,5 +16,5 @@ BEGIN
         [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
     WHERE
         (C.[UserId] IS NOT NULL AND C.[UserId] = @UserId)
-        OR OU.[UserId] = @UserId
+        OR (OU.[UserId] = @UserId AND OU.[Status] = 2) -- 2 = Confirmed
 END

src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserIdHasSubvault.sql

@@ -15,5 +15,6 @@ BEGIN
     INNER JOIN
         [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
     WHERE
-        [OU].[UserId] = @UserId
+        OU.[UserId] = @UserId 
+        AND OU.[Status] = 2 -- 2 = Confirmed
 END