[PM-11406] Account Management: Prevent a verified user from deleting their account (#4878)

* Add check for managed user before purging account

* Rename IOrganizationRepository.GetByClaimedUserDomainAsync to GetByVerifiedUserEmailDomainAsync and refactor to return a list. Remove ManagedByOrganizationId from ProfileResponseMode. Add ManagesActiveUser to ProfileOrganizationResponseModel

* Rename the property ManagesActiveUser to UserIsManagedByOrganization

* Remove whole class #nullable enable and add it to specific places

* [PM-11405] Account Deprovisioning: Prevent a verified user from changing their email address

* Remove unnecessary .ToList()

* Refactor IUserService methods GetOrganizationsManagingUserAsync and IsManagedByAnyOrganizationAsync to not return nullable objects. Update ProfileOrganizationResponseModel.UserIsManagedByOrganization to not be nullable

* Prevent deletion of accounts managed by an organization when Account Deprovisioning is enabled

* Add CannotDeleteManagedAccountViewModel and email templates

- Added CannotDeleteManagedAccountViewModel class to handle emails related to preventing deletion of accounts managed by an organization.
- Added HTML and text email templates for sending notifications about the inability to delete an account owned by an organization.
- Updated IMailService interface with a new method to send the cannot delete managed account email.
- Implemented the SendCannotDeleteManagedAccountEmailAsync method in HandlebarsMailService.
- Added a check in UserService to send the cannot delete managed account email if the user is managed by any organization.
- Added a no-op implementation for SendCannotDeleteManagedAccountEmailAsync in NoopMailService.

* Update error message when unable to purge vault for managed account

* Update error message when unable to change email for managed account

* Update error message when unable to delete account when managed by organization

* Update error message in test for deleting organization-owned accounts

test/Api.Test/Auth/Controllers/AccountsControllerTests.cs

@@ -534,6 +534,34 @@ public class AccountsControllerTests : IDisposable
         await Assert.ThrowsAsync<BadRequestException>(() => _sut.PostSetPasswordAsync(model));
     }
 
+    [Fact]
+    public async Task Delete_WhenAccountDeprovisioningIsEnabled_WithUserManagedByAnOrganization_ThrowsBadRequestException()
+    {
+        var user = GenerateExampleUser();
+        ConfigureUserServiceToReturnValidPrincipalFor(user);
+        ConfigureUserServiceToAcceptPasswordFor(user);
+        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
+        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(true);
+
+        var result = await Assert.ThrowsAsync<BadRequestException>(() => _sut.Delete(new SecretVerificationRequestModel()));
+
+        Assert.Equal("Cannot delete accounts owned by an organization. Contact your organization administrator for additional details.", result.Message);
+    }
+
+    [Fact]
+    public async Task Delete_WhenAccountDeprovisioningIsEnabled_WithUserNotManagedByAnOrganization_ShouldSucceed()
+    {
+        var user = GenerateExampleUser();
+        ConfigureUserServiceToReturnValidPrincipalFor(user);
+        ConfigureUserServiceToAcceptPasswordFor(user);
+        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
+        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(false);
+        _userService.DeleteAsync(user).Returns(IdentityResult.Success);
+
+        await _sut.Delete(new SecretVerificationRequestModel());
+
+        await _userService.Received(1).DeleteAsync(user);
+    }
 
     // Below are helper functions that currently belong to this
     // test class, but ultimately may need to be split out into