From 69730824b9741e34214cbdce6cf93158f2a6f473 Mon Sep 17 00:00:00 2001
From: BlackDex <black.dex@gmail.com>
Date: Sat, 20 Dec 2025 19:30:46 +0100
Subject: [PATCH] Fix posting cipher with readonly collections

This fix will check if a collection is writeable for the user, and if not error out early instead of creating the cipher first and leaving it.
It will also save some database transactions.

Fixes #6562

Signed-off-by: BlackDex <black.dex@gmail.com>
---
 src/api/core/ciphers.rs | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs
index 237df116..1901ffb4 100644
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -324,8 +324,21 @@ async fn post_ciphers_create(
 
     // Check if there are one more more collections selected when this cipher is part of an organization.
     // err if this is not the case before creating an empty cipher.
-    if data.cipher.organization_id.is_some() && data.collection_ids.is_empty() {
-        err!("You must select at least one collection.");
+    if let Some(org_id) = &data.cipher.organization_id {
+        if data.collection_ids.is_empty() {
+            err!("You must select at least one collection.");
+        } else {
+            for col_id in &data.collection_ids {
+                match Collection::find_by_uuid_and_org(col_id, org_id, &conn).await {
+                    None => err!("Invalid collection ID provided"),
+                    Some(collection) => {
+                        if !collection.is_writable_by_user(&headers.user.uuid, &conn).await {
+                            err!("No rights to modify the collection")
+                        }
+                    }
+                }
+            }
+        }
     }
 
     // This check is usually only needed in update_cipher_from_data(), but we