From 7b1edb3d3ff145494415e5ed14cc94f0327c59ff Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Mon, 30 Sep 2024 08:59:18 -0500
Subject: [PATCH] [PM-5450] Add check for admin/org access for events (#4705)

* check to see if the org allows access to collections/ciphers to owners for events

* linter

* add check for organization value before attempting to use it

* refactor logic to check for org abilities

* remove checks for organization abilities

- The previous logic would block events from being collected when a cipher was unassigned

* check for organization when recording an event from owner/admin
---
 src/Events/Controllers/CollectController.cs | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/Events/Controllers/CollectController.cs b/src/Events/Controllers/CollectController.cs
index 9e4ff531f..5e0417586 100644
--- a/src/Events/Controllers/CollectController.cs
+++ b/src/Events/Controllers/CollectController.cs
@@ -19,19 +19,22 @@ public class CollectController : Controller
     private readonly ICipherRepository _cipherRepository;
     private readonly IOrganizationRepository _organizationRepository;
     private readonly IFeatureService _featureService;
+    private readonly IApplicationCacheService _applicationCacheService;
 
     public CollectController(
         ICurrentContext currentContext,
         IEventService eventService,
         ICipherRepository cipherRepository,
         IOrganizationRepository organizationRepository,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IApplicationCacheService applicationCacheService)
     {
         _currentContext = currentContext;
         _eventService = eventService;
         _cipherRepository = cipherRepository;
         _organizationRepository = organizationRepository;
         _featureService = featureService;
+        _applicationCacheService = applicationCacheService;
     }
 
     [HttpPost]
@@ -77,7 +80,21 @@ public class CollectController : Controller
                     }
                     if (cipher == null)
                     {
-                        continue;
+                        // When the user cannot access the cipher directly, check if the organization allows for
+                        // admin/owners access to all collections and the user can access the cipher from that perspective.
+                        if (!eventModel.OrganizationId.HasValue)
+                        {
+                            continue;
+                        }
+
+                        cipher = await _cipherRepository.GetByIdAsync(eventModel.CipherId.Value);
+                        var cipherBelongsToOrg = cipher.OrganizationId == eventModel.OrganizationId;
+                        var org = _currentContext.GetOrganization(eventModel.OrganizationId.Value);
+
+                        if (!cipherBelongsToOrg || org == null || cipher == null)
+                        {
+                            continue;
+                        }
                     }
                     if (!ciphersCache.ContainsKey(eventModel.CipherId.Value))
                     {