[PM-26316] Prevent users from sharing archived cipher (#6443)

* prevent users from sharing an archived cipher * move check outside of encrypted check * add check for cipher stored in the DB does not have an archive date
2025-12-06 00:03:34 +00:00 · 2025-10-13 08:03:57 -05:00
parent 84534eb8f9
commit 42568b6494
2 changed files with 127 additions and 0 deletions
--- a/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
+++ b/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
@@ -1790,6 +1790,118 @@ public class CiphersControllerTests
        );
    }

+    [Theory, BitAutoData]
+    public async Task PutShareMany_ArchivedCipher_ThrowsBadRequestException(
+        Guid organizationId,
+        Guid userId,
+        CipherWithIdRequestModel request,
+        SutProvider<CiphersController> sutProvider)
+    {
+        request.EncryptedFor = userId;
+        request.OrganizationId = organizationId.ToString();
+        request.ArchivedDate = DateTime.UtcNow;
+        var model = new CipherBulkShareRequestModel
+        {
+            Ciphers = [request],
+            CollectionIds = [Guid.NewGuid().ToString()]
+        };
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationUser(organizationId)
+            .Returns(Task.FromResult(true));
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(default)
+            .ReturnsForAnyArgs(userId);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.PutShareMany(model)
+        );
+
+        Assert.Equal("Cannot move archived items to an organization.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task PutShareMany_ExistingCipherArchived_ThrowsBadRequestException(
+        Guid organizationId,
+        Guid userId,
+        CipherWithIdRequestModel request,
+        SutProvider<CiphersController> sutProvider)
+    {
+        // Request model does not have ArchivedDate (only the existing cipher does)
+        request.EncryptedFor = userId;
+        request.OrganizationId = organizationId.ToString();
+        request.ArchivedDate = null;
+
+        var model = new CipherBulkShareRequestModel
+        {
+            Ciphers = [request],
+            CollectionIds = [Guid.NewGuid().ToString()]
+        };
+
+        // The existing cipher from the repository IS archived
+        var existingCipher = new CipherDetails
+        {
+            Id = request.Id!.Value,
+            UserId = userId,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new CipherLoginData()),
+            ArchivedDate = DateTime.UtcNow
+        };
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationUser(organizationId)
+            .Returns(Task.FromResult(true));
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(default)
+            .ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId, withOrganizations: false)
+            .Returns(Task.FromResult((ICollection<CipherDetails>)[existingCipher]));
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.PutShareMany(model)
+        );
+
+        Assert.Equal("Cannot move archived items to an organization.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task PutShare_ArchivedCipher_ThrowsBadRequestException(
+        Guid cipherId,
+        Guid organizationId,
+        User user,
+        CipherShareRequestModel model,
+        SutProvider<CiphersController> sutProvider)
+    {
+        model.Cipher.OrganizationId = organizationId.ToString();
+        model.Cipher.EncryptedFor = user.Id;
+
+        var cipher = new Cipher
+        {
+            Id = cipherId,
+            UserId = user.Id,
+            ArchivedDate = DateTime.UtcNow.AddDays(-1),
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new CipherLoginData())
+        };
+
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
+            .Returns(user);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetByIdAsync(cipherId)
+            .Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationUser(organizationId)
+            .Returns(Task.FromResult(true));
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.PutShare(cipherId, model)
+        );
+
+        Assert.Equal("Cannot move an archived item to an organization.", exception.Message);
+    }
+
    [Theory, BitAutoData]
    public async Task PostPurge_WhenUserNotFound_ThrowsUnauthorizedAccessException(
        SecretVerificationRequestModel model,