From 54c46f716b91c1c87fde00991f7a9ba49f5c5a75 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Thu, 28 Mar 2019 12:36:57 -0400
Subject: [PATCH] Only owner can change the type of another owner.

resolves #467
---
 .../Implementations/OrganizationService.cs         | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/Core/Services/Implementations/OrganizationService.cs b/src/Core/Services/Implementations/OrganizationService.cs
index 00539a6277..2de4b5a5ab 100644
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@@ -1012,12 +1012,20 @@ namespace Bit.Core.Services
                 throw new BadRequestException("Invite the user first.");
             }
 
-            if(savingUserId.HasValue && user.Type == OrganizationUserType.Owner)
+            if(savingUserId.HasValue)
             {
                 var savingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(savingUserId.Value);
-                if(!savingUserOrgs.Any(u => u.OrganizationId == user.OrganizationId && u.Type == OrganizationUserType.Owner))
+                var savingUserIsOrgOwner = savingUserOrgs
+                    .Any(u => u.OrganizationId == user.OrganizationId && u.Type == OrganizationUserType.Owner);
+                if(!savingUserIsOrgOwner)
                 {
-                    throw new BadRequestException("Only owners can update other owners.");
+                    var originalUser = await _organizationUserRepository.GetByIdAsync(user.Id);
+                    var isOwner = originalUser.Type == OrganizationUserType.Owner;
+                    var nowOwner = user.Type == OrganizationUserType.Owner;
+                    if((isOwner && !nowOwner) || (!isOwner && nowOwner))
+                    {
+                        throw new BadRequestException("Only an owner can change the user type of another owner.");
+                    }
                 }
             }