[PM-6934] Prevent enabling two step login policy if any Org member has no master password and no 2FA set up (#3915)

* [PM-6934] Prevent enabling two step login policy if any Org member has no master password and no 2FA set up * [PM-6934] PR feedback * [PM-6934] Updated policy check to only check users that will be deleted * [PM-6934] Removed unnecessary code * [PM-6934] Fixed unit tests and policy update logic * [PM-6934] Updated error message
2025-07-04 01:22:50 -05:00 · 2024-03-21 12:07:13 +00:00
parent 78ce1f8a5d
commit 366eef7e23
2 changed files with 169 additions and 19 deletions
--- a/src/Core/AdminConsole/Services/Implementations/PolicyService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/PolicyService.cs
@ -124,10 +124,17 @@ public class PolicyService : IPolicyService
                switch (policy.Type)
                {
                    case PolicyType.TwoFactorAuthentication:
-                        foreach (var orgUser in removableOrgUsers)
+                        // Reorder by HasMasterPassword to prioritize checking users without a master if they have 2FA enabled
+                        foreach (var orgUser in removableOrgUsers.OrderBy(ou => ou.HasMasterPassword))
                        {
                            if (!await userService.TwoFactorIsEnabledAsync(orgUser))
                            {
+                                if (!orgUser.HasMasterPassword)
+                                {
+                                    throw new BadRequestException(
+                                        "Policy could not be enabled. Non-compliant members will lose access to their accounts. Identify members without two-step login from the policies column in the members page.");
+                                }
+
                                await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
                                    savingUserId);
                                await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(