[PM-11406] Account Management: Prevent a verified user from deleting their account (#4878)

* Add check for managed user before purging account

* Rename IOrganizationRepository.GetByClaimedUserDomainAsync to GetByVerifiedUserEmailDomainAsync and refactor to return a list. Remove ManagedByOrganizationId from ProfileResponseMode. Add ManagesActiveUser to ProfileOrganizationResponseModel

* Rename the property ManagesActiveUser to UserIsManagedByOrganization

* Remove whole class #nullable enable and add it to specific places

* [PM-11405] Account Deprovisioning: Prevent a verified user from changing their email address

* Remove unnecessary .ToList()

* Refactor IUserService methods GetOrganizationsManagingUserAsync and IsManagedByAnyOrganizationAsync to not return nullable objects. Update ProfileOrganizationResponseModel.UserIsManagedByOrganization to not be nullable

* Prevent deletion of accounts managed by an organization when Account Deprovisioning is enabled

* Add CannotDeleteManagedAccountViewModel and email templates

- Added CannotDeleteManagedAccountViewModel class to handle emails related to preventing deletion of accounts managed by an organization.
- Added HTML and text email templates for sending notifications about the inability to delete an account owned by an organization.
- Updated IMailService interface with a new method to send the cannot delete managed account email.
- Implemented the SendCannotDeleteManagedAccountEmailAsync method in HandlebarsMailService.
- Added a check in UserService to send the cannot delete managed account email if the user is managed by any organization.
- Added a no-op implementation for SendCannotDeleteManagedAccountEmailAsync in NoopMailService.

* Update error message when unable to purge vault for managed account

* Update error message when unable to change email for managed account

* Update error message when unable to delete account when managed by organization

* Update error message in test for deleting organization-owned accounts

src/Core/Services/IMailService.cs

@@ -18,6 +18,7 @@ public interface IMailService
         ProductTierType productTier,
         IEnumerable<ProductType> products);
     Task SendVerifyDeleteEmailAsync(string email, Guid userId, string token);
+    Task SendCannotDeleteManagedAccountEmailAsync(string email);
     Task SendChangeEmailAlreadyExistsEmailAsync(string fromEmail, string toEmail);
     Task SendChangeEmailEmailAsync(string newEmailAddress, string token);
     Task SendTwoFactorEmailAsync(string email, string token);

src/Core/Services/Implementations/HandlebarsMailService.cs

@@ -112,6 +112,19 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
+    public async Task SendCannotDeleteManagedAccountEmailAsync(string email)
+    {
+        var message = CreateDefaultMessage("Delete Your Account", email);
+        var model = new CannotDeleteManagedAccountViewModel
+        {
+            WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
+            SiteName = _globalSettings.SiteName,
+        };
+        await AddMessageContentAsync(message, "AdminConsole.CannotDeleteManagedAccount", model);
+        message.Category = "CannotDeleteManagedAccount";
+        await _mailDeliveryService.SendEmailAsync(message);
+    }
+
     public async Task SendChangeEmailAlreadyExistsEmailAsync(string fromEmail, string toEmail)
     {
         var message = CreateDefaultMessage("Your Email Change", toEmail);

src/Core/Services/Implementations/UserService.cs

@@ -297,6 +297,12 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             return;
         }
 
+        if (await IsManagedByAnyOrganizationAsync(user.Id))
+        {
+            await _mailService.SendCannotDeleteManagedAccountEmailAsync(user.Email);
+            return;
+        }
+
         var token = await base.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "DeleteAccount");
         await _mailService.SendVerifyDeleteEmailAsync(user.Email, user.Id, token);
     }

src/Core/Services/NoopImplementations/NoopMailService.cs

@@ -94,6 +94,11 @@ public class NoopMailService : IMailService
         return Task.FromResult(0);
     }
 
+    public Task SendCannotDeleteManagedAccountEmailAsync(string email)
+    {
+        return Task.FromResult(0);
+    }
+
     public Task SendPasswordlessSignInAsync(string returnUrl, string token, string email)
     {
         return Task.FromResult(0);