diff --git a/src/Api/Controllers/OrganizationUsersController.cs b/src/Api/Controllers/OrganizationUsersController.cs index 560c62480..ee5da0dfc 100644 --- a/src/Api/Controllers/OrganizationUsersController.cs +++ b/src/Api/Controllers/OrganizationUsersController.cs @@ -174,6 +174,11 @@ namespace Bit.Api.Controllers throw new NotFoundException(); } + if(organizationUser.Type == Core.Enums.OrganizationUserType.Owner && !_currentContext.OrganizationOwner(orgGuidId)) + { + throw new BadRequestException("Only owners can update other owners."); + } + await _organizationUserRepository.UpdateGroupsAsync(organizationUser.Id, model.GroupIds.Select(g => new Guid(g))); } diff --git a/src/Core/Services/Implementations/OrganizationService.cs b/src/Core/Services/Implementations/OrganizationService.cs index 91bae08da..7b00cfccd 100644 --- a/src/Core/Services/Implementations/OrganizationService.cs +++ b/src/Core/Services/Implementations/OrganizationService.cs @@ -809,6 +809,15 @@ namespace Bit.Core.Services throw new NotFoundException(); } + if(type == OrganizationUserType.Owner) + { + var invitingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(invitingUserId); + if(!invitingUserOrgs.Any(u => u.OrganizationId == organizationId && u.Type == OrganizationUserType.Owner)) + { + throw new BadRequestException("Only owners can invite new owners."); + } + } + if(organization.Seats.HasValue) { var userCount = await _organizationUserRepository.GetCountByOrganizationIdAsync(organizationId); @@ -995,13 +1004,21 @@ namespace Bit.Core.Services throw new BadRequestException("Invite the user first."); } + if(user.Type == OrganizationUserType.Owner) + { + var savingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(savingUserId); + if(!savingUserOrgs.Any(u => u.OrganizationId == user.OrganizationId && u.Type == OrganizationUserType.Owner)) + { + throw new BadRequestException("Only owners can update other owners."); + } + } + var confirmedOwners = (await GetConfirmedOwnersAsync(user.OrganizationId)).ToList(); if(user.Type != OrganizationUserType.Owner && confirmedOwners.Count == 1 && confirmedOwners[0].Id == user.Id) { throw new BadRequestException("Organization must have at least one confirmed owner."); } - if(user.AccessAll) { // We don't need any collections if we're flagged to have all access. @@ -1023,6 +1040,15 @@ namespace Bit.Core.Services throw new BadRequestException("You cannot remove yourself."); } + if(orgUser.Type == OrganizationUserType.Owner) + { + var deletingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(deletingUserId); + if(!deletingUserOrgs.Any(u => u.OrganizationId == organizationId && u.Type == OrganizationUserType.Owner)) + { + throw new BadRequestException("Only owners can delete other owners."); + } + } + var confirmedOwners = (await GetConfirmedOwnersAsync(organizationId)).ToList(); if(confirmedOwners.Count == 1 && confirmedOwners[0].Id == organizationUserId) {