folder permission checks and null folder

src/Api/Controllers/CiphersController.cs

@@ -255,7 +255,8 @@ namespace Bit.Api.Controllers
         public async Task MoveMany([FromBody]CipherBulkMoveRequestModel model)
         {
             var userId = _userService.GetProperUserId(User).Value;
-            await _cipherService.MoveManyAsync(model.Ids.Select(i => new Guid(i)), new Guid(model.FolderId), userId);
+            await _cipherService.MoveManyAsync(model.Ids.Select(i => new Guid(i)),
+                string.IsNullOrWhiteSpace(model.FolderId) ? (Guid?)null : new Guid(model.FolderId), userId);
         }
     }
 }

src/Core/Models/Api/Request/CipherRequestModel.cs

@@ -100,7 +100,6 @@ namespace Bit.Core.Models.Api
     {
         [Required]
         public IEnumerable<string> Ids { get; set; }
-        [Required]
         public string FolderId { get; set; }
     }
 }

src/Core/Repositories/ICipherRepository.cs

@@ -20,7 +20,7 @@ namespace Bit.Core.Repositories
         Task ReplaceAsync(Cipher obj, IEnumerable<Guid> collectionIds);
         Task UpdatePartialAsync(Guid id, Guid userId, Guid? folderId, bool favorite);
         Task DeleteAsync(IEnumerable<Guid> ids, Guid userId);
-        Task MoveAsync(IEnumerable<Guid> ids, Guid folderId, Guid userId);
+        Task MoveAsync(IEnumerable<Guid> ids, Guid? folderId, Guid userId);
         Task UpdateUserKeysAndCiphersAsync(User user, IEnumerable<Cipher> ciphers, IEnumerable<Folder> folders);
         Task CreateAsync(IEnumerable<Cipher> ciphers, IEnumerable<Folder> folders);
     }

src/Core/Repositories/SqlServer/CipherRepository.cs

@@ -187,7 +187,7 @@ namespace Bit.Core.Repositories.SqlServer
             }
         }
 
-        public async Task MoveAsync(IEnumerable<Guid> ids, Guid folderId, Guid userId)
+        public async Task MoveAsync(IEnumerable<Guid> ids, Guid? folderId, Guid userId)
         {
             using(var connection = new SqlConnection(ConnectionString))
             {

src/Core/Services/ICipherService.cs

@@ -12,7 +12,7 @@ namespace Bit.Core.Services
         Task SaveDetailsAsync(CipherDetails cipher, Guid savingUserId);
         Task DeleteAsync(Cipher cipher, Guid deletingUserId, bool orgAdmin = false);
         Task DeleteManyAsync(IEnumerable<Guid> cipherIds, Guid deletingUserId);
-        Task MoveManyAsync(IEnumerable<Guid> cipherIds, Guid destinationFolderId, Guid movingUserId);
+        Task MoveManyAsync(IEnumerable<Guid> cipherIds, Guid? destinationFolderId, Guid movingUserId);
         Task SaveFolderAsync(Folder folder);
         Task DeleteFolderAsync(Folder folder);
         Task ShareAsync(Cipher cipher, Guid organizationId, IEnumerable<Guid> collectionIds, Guid userId);

src/Core/Services/Implementations/CipherService.cs

@@ -106,8 +106,17 @@ namespace Bit.Core.Services
             await _pushService.PushSyncCiphersAsync(deletingUserId);
         }
 
-        public async Task MoveManyAsync(IEnumerable<Guid> cipherIds, Guid destinationFolderId, Guid movingUserId)
+        public async Task MoveManyAsync(IEnumerable<Guid> cipherIds, Guid? destinationFolderId, Guid movingUserId)
         {
+            if(destinationFolderId.HasValue)
+            {
+                var folder = await _folderRepository.GetByIdAsync(destinationFolderId.Value);
+                if(folder == null || folder.UserId != movingUserId)
+                {
+                    throw new BadRequestException("Invalid folder.");
+                }
+            }
+
             await _cipherRepository.MoveAsync(cipherIds, destinationFolderId, movingUserId);
             // push
             await _pushService.PushSyncCiphersAsync(movingUserId);