Exempt owners and admins from single org and 2FA policy (#1171)

* Fix single org policy when creating organization Exclude owners and admins from policy when creating new org * Fix single org and 2FA policy on accepting invite Exclude owners and admins from policies * Remove looped async calls * Fix code style and formatting
2025-07-01 08:02:49 -05:00 · 2021-03-03 08:15:42 +10:00
parent c2d34d7271
commit a18e1b7dca
2 changed files with 49 additions and 30 deletions
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@ -163,10 +163,19 @@ namespace Bit.Api.Controllers
            }

            var policies = await _policyRepository.GetManyByUserIdAsync(user.Id);
-            if (policies.Any(policy => policy.Enabled && policy.Type == PolicyType.SingleOrg))
+            var orgUsers = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+
+            var orgsWithSingleOrgPolicy = policies.Where(p => p.Enabled && p.Type == PolicyType.SingleOrg)
+                .Select(p => p.OrganizationId);
+            var blockedBySingleOrgPolicy = orgUsers.Any(ou => ou.Type != OrganizationUserType.Owner &&
+                                                        ou.Type != OrganizationUserType.Admin &&
+                                                        ou.Status != OrganizationUserStatusType.Invited &&
+                                                        orgsWithSingleOrgPolicy.Contains(ou.OrganizationId));
+
+            if (blockedBySingleOrgPolicy)
            {
                throw new Exception("You may not create an organization. You belong to an organization " +
-                     "which has a policy that prohibits you from being a member of any other organization.");
+                    "which has a policy that prohibits you from being a member of any other organization.");
            }

            var organizationSignup = model.ToOrganizationSignup(user);