From 2444346ea91451496081c3b36254e00362527d18 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Wed, 27 Sep 2017 22:37:13 -0400
Subject: [PATCH] only owners can manage owners

---
 .../OrganizationUsersController.cs            |  5 ++++
 .../Implementations/OrganizationService.cs    | 28 ++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/src/Api/Controllers/OrganizationUsersController.cs b/src/Api/Controllers/OrganizationUsersController.cs
index 560c62480..ee5da0dfc 100644
--- a/src/Api/Controllers/OrganizationUsersController.cs
+++ b/src/Api/Controllers/OrganizationUsersController.cs
@@ -174,6 +174,11 @@ namespace Bit.Api.Controllers
                 throw new NotFoundException();
             }
 
+            if(organizationUser.Type == Core.Enums.OrganizationUserType.Owner && !_currentContext.OrganizationOwner(orgGuidId))
+            {
+                throw new BadRequestException("Only owners can update other owners.");
+            }
+
             await _organizationUserRepository.UpdateGroupsAsync(organizationUser.Id, model.GroupIds.Select(g => new Guid(g)));
         }
 
diff --git a/src/Core/Services/Implementations/OrganizationService.cs b/src/Core/Services/Implementations/OrganizationService.cs
index 91bae08da..7b00cfccd 100644
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@@ -809,6 +809,15 @@ namespace Bit.Core.Services
                 throw new NotFoundException();
             }
 
+            if(type == OrganizationUserType.Owner)
+            {
+                var invitingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(invitingUserId);
+                if(!invitingUserOrgs.Any(u => u.OrganizationId == organizationId && u.Type == OrganizationUserType.Owner))
+                {
+                    throw new BadRequestException("Only owners can invite new owners.");
+                }
+            }
+
             if(organization.Seats.HasValue)
             {
                 var userCount = await _organizationUserRepository.GetCountByOrganizationIdAsync(organizationId);
@@ -995,13 +1004,21 @@ namespace Bit.Core.Services
                 throw new BadRequestException("Invite the user first.");
             }
 
+            if(user.Type == OrganizationUserType.Owner)
+            {
+                var savingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(savingUserId);
+                if(!savingUserOrgs.Any(u => u.OrganizationId == user.OrganizationId && u.Type == OrganizationUserType.Owner))
+                {
+                    throw new BadRequestException("Only owners can update other owners.");
+                }
+            }
+
             var confirmedOwners = (await GetConfirmedOwnersAsync(user.OrganizationId)).ToList();
             if(user.Type != OrganizationUserType.Owner && confirmedOwners.Count == 1 && confirmedOwners[0].Id == user.Id)
             {
                 throw new BadRequestException("Organization must have at least one confirmed owner.");
             }
 
-
             if(user.AccessAll)
             {
                 // We don't need any collections if we're flagged to have all access.
@@ -1023,6 +1040,15 @@ namespace Bit.Core.Services
                 throw new BadRequestException("You cannot remove yourself.");
             }
 
+            if(orgUser.Type == OrganizationUserType.Owner)
+            {
+                var deletingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(deletingUserId);
+                if(!deletingUserOrgs.Any(u => u.OrganizationId == organizationId && u.Type == OrganizationUserType.Owner))
+                {
+                    throw new BadRequestException("Only owners can delete other owners.");
+                }
+            }
+
             var confirmedOwners = (await GetConfirmedOwnersAsync(organizationId)).ToList();
             if(confirmedOwners.Count == 1 && confirmedOwners[0].Id == organizationUserId)
             {