From fa463843bb4dfc81a1d1c2d61878f80957bd52d4 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Fri, 5 Apr 2019 22:59:03 -0400
Subject: [PATCH] change permission checks on cipher events

---
 src/Api/Controllers/EventsController.cs | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/Api/Controllers/EventsController.cs b/src/Api/Controllers/EventsController.cs
index d8aa81083b..53d53791ee 100644
--- a/src/Api/Controllers/EventsController.cs
+++ b/src/Api/Controllers/EventsController.cs
@@ -52,10 +52,24 @@ namespace Bit.Api.Controllers
         public async Task<ListResponseModel<EventResponseModel>> GetCipher(string id,
             [FromQuery]DateTime? start = null, [FromQuery]DateTime? end = null, [FromQuery]string continuationToken = null)
         {
-            var userId = _userService.GetProperUserId(User).Value;
-            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
-            if(cipher == null || (cipher.UserId.HasValue && userId != cipher.UserId) ||
-                (cipher.OrganizationId.HasValue && !_currentContext.OrganizationAdmin(cipher.OrganizationId.Value)))
+            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id));
+            if(cipher == null)
+            {
+                throw new NotFoundException();
+            }
+
+            var canView = false;
+            if(cipher.OrganizationId.HasValue)
+            {
+                canView = _currentContext.OrganizationAdmin(cipher.OrganizationId.Value);
+            }
+            else if(cipher.UserId.HasValue)
+            {
+                var userId = _userService.GetProperUserId(User).Value;
+                canView = userId == cipher.UserId.Value;
+            }
+
+            if(!canView)
             {
                 throw new NotFoundException();
             }