[PM-10323] Remove user verification from organization user deletion methods (#4965)

2025-06-30 15:42:48 -05:00 · 2024-11-04 14:48:13 +00:00
parent 96862b974f
commit 60672bbe48
3 changed files with 12 additions and 86 deletions
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -1,6 +1,5 @@
 using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.AdminConsole.Models.Response.Organizations;
-using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
@ -545,7 +544,7 @@ public class OrganizationUsersController : Controller
    [RequireFeature(FeatureFlagKeys.AccountDeprovisioning)]
    [HttpDelete("{id}/delete-account")]
    [HttpPost("{id}/delete-account")]
-    public async Task DeleteAccount(Guid orgId, Guid id, [FromBody] SecretVerificationRequestModel model)
+    public async Task DeleteAccount(Guid orgId, Guid id)
    {
        if (!await _currentContext.ManageUsers(orgId))
        {
@ -558,19 +557,13 @@ public class OrganizationUsersController : Controller
            throw new UnauthorizedAccessException();
        }

-        if (!await _userService.VerifySecretAsync(currentUser, model.Secret))
-        {
-            await Task.Delay(2000);
-            throw new BadRequestException(string.Empty, "User verification failed.");
-        }
-
        await _deleteManagedOrganizationUserAccountCommand.DeleteUserAsync(orgId, id, currentUser.Id);
    }

    [RequireFeature(FeatureFlagKeys.AccountDeprovisioning)]
    [HttpDelete("delete-account")]
    [HttpPost("delete-account")]
-    public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkDeleteAccount(Guid orgId, [FromBody] SecureOrganizationUserBulkRequestModel model)
+    public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkDeleteAccount(Guid orgId, [FromBody] OrganizationUserBulkRequestModel model)
    {
        if (!await _currentContext.ManageUsers(orgId))
        {
@ -583,12 +576,6 @@ public class OrganizationUsersController : Controller
            throw new UnauthorizedAccessException();
        }

-        if (!await _userService.VerifySecretAsync(currentUser, model.Secret))
-        {
-            await Task.Delay(2000);
-            throw new BadRequestException(string.Empty, "User verification failed.");
-        }
-
        var results = await _deleteManagedOrganizationUserAccountCommand.DeleteManyUsersAsync(orgId, model.Ids, currentUser.Id);

        return new ListResponseModel<OrganizationUserBulkResponseModel>(results.Select(r =>
--- a/src/Api/AdminConsole/Models/Request/Organizations/SecureOrganizationUserBulkRequestModel.cs
+++ b/src/Api/AdminConsole/Models/Request/Organizations/SecureOrganizationUserBulkRequestModel.cs
@ -1,10 +0,0 @@
-using System.ComponentModel.DataAnnotations;
-using Bit.Api.Auth.Models.Request.Accounts;
-
-namespace Bit.Api.AdminConsole.Models.Request.Organizations;
-
-public class SecureOrganizationUserBulkRequestModel : SecretVerificationRequestModel
-{
-    [Required]
-    public IEnumerable<Guid> Ids { get; set; }
-}