[PM-31820] added a null check to the id/partial route (#7066)

Jingo88 · web-flow · commit fe3a8c202020 · 2026-03-12T14:04:17.000-04:00
diff --git a/src/Api/Vault/Controllers/CiphersController.cs b/src/Api/Vault/Controllers/CiphersController.cs
@@ -709,12 +709,18 @@ private async Task<bool> CanEditItemsInCollections(Guid organizationId, IEnumera
     public async Task<CipherResponseModel> PutPartial(Guid id, [FromBody] CipherPartialRequestModel model)
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
+        var cipher = await GetByIdAsync(id, user.Id);
+        if (cipher == null)
+        {
+            throw new NotFoundException();
+        }
+
         var folderId = string.IsNullOrWhiteSpace(model.FolderId) ? null : (Guid?)new Guid(model.FolderId);
         await _cipherRepository.UpdatePartialAsync(id, user.Id, folderId, model.Favorite);
 
-        var cipher = await GetByIdAsync(id, user.Id);
+        var updatedCipher = await GetByIdAsync(id, user.Id);
         var response = new CipherResponseModel(
-            cipher,
+            updatedCipher,
             user,
             await _applicationCacheService.GetOrganizationAbilitiesAsync(),
             _globalSettings);
diff --git a/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs b/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
@@ -60,6 +60,24 @@ public async Task PutPartialShouldReturnCipherWithGivenFolderAndFavoriteValues(U
         Assert.Equal(isFavorite, result.Favorite);
     }
 
+    [Theory, BitAutoData]
+    public async Task PutPartialShouldThrowNotFoundExceptionWhenCipherDoesNotExist(User user, Guid folderId, SutProvider<CiphersController> sutProvider)
+    {
+        var isFavorite = true;
+        var cipherId = Guid.NewGuid();
+
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherId, user.Id).ReturnsNull();
+
+        var requestAction = async () => await sutProvider.Sut.PutPartial(cipherId, new CipherPartialRequestModel { Favorite = isFavorite, FolderId = folderId.ToString() });
+
+        await Assert.ThrowsAsync<NotFoundException>(requestAction);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .DidNotReceive()
+            .UpdatePartialAsync(Arg.Any<Guid>(), Arg.Any<Guid>(), Arg.Any<Guid?>(), Arg.Any<bool>());
+    }
+
     [Theory, BitAutoData]
     public async Task PutCollections_vNextShouldThrowExceptionWhenCipherIsNullOrNoOrgValue(Guid id, CipherCollectionsRequestModel model, User user,
         SutProvider<CiphersController> sutProvider)
