From 6aa1bdffb080fdf6f98353ceeab008dec8c1d5fe Mon Sep 17 00:00:00 2001
From: BlackDex <black.dex@gmail.com>
Date: Fri, 6 Feb 2026 17:31:48 +0100
Subject: [PATCH] Fix org-details issue

Fix an issue where it was possible for users who were not eligible to access all org ciphers to be able to download and extract the encrypted contents.
Only Managers with full access and Admins and Owners should be able to access this endpoint.

This change will block and prevent access for other users.

Signed-off-by: BlackDex <black.dex@gmail.com>
---
 src/api/core/organizations.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
index 356d7786..f173f90f 100644
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -929,11 +929,15 @@ struct OrgIdData {
 }
 
 #[get("/ciphers/organization-details?<data..>")]
-async fn get_org_details(data: OrgIdData, headers: OrgMemberHeaders, conn: DbConn) -> JsonResult {
+async fn get_org_details(data: OrgIdData, headers: ManagerHeadersLoose, conn: DbConn) -> JsonResult {
     if data.organization_id != headers.membership.org_uuid {
         err_code!("Resource not found.", "Organization id's do not match", rocket::http::Status::NotFound.code);
     }
 
+    if !headers.membership.has_full_access() {
+        err_code!("Resource not found.", "User does not have full access", rocket::http::Status::NotFound.code);
+    }
+
     Ok(Json(json!({
         "data": _get_org_details(&data.organization_id, &headers.host, &headers.user.uuid, &conn).await?,
         "object": "list",