From d7e45fe0a3c28b7337513394029985139c63da7b Mon Sep 17 00:00:00 2001
From: Addison Beck <abeck@bitwarden.com>
Date: Wed, 9 Sep 2020 12:10:33 -0400
Subject: [PATCH] added server validation for plan selection (#924)

---
 src/Api/Controllers/OrganizationsController.cs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/Api/Controllers/OrganizationsController.cs b/src/Api/Controllers/OrganizationsController.cs
index 2485c3522..310f3387d 100644
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@@ -150,6 +150,12 @@ namespace Bit.Api.Controllers
                 throw new UnauthorizedAccessException();
             }
 
+            var plan = StaticStore.Plans.FirstOrDefault(plan => plan.Type == model.PlanType);
+            if (plan == null || plan.LegacyYear != null)
+            {
+                throw new Exception("Invalid plan selected.");
+            }
+
             var organizationSignup = model.ToOrganizationSignup(user);
             var result = await _organizationService.SignUpAsync(organizationSignup);
             return new OrganizationResponseModel(result.Item1);