From aa73ad31dfa6467a2cd20f5d3f6a7c4b8838df4c Mon Sep 17 00:00:00 2001 From: Rui Tome Date: Mon, 26 May 2025 11:24:08 +0100 Subject: [PATCH] Refactor ConfirmOrganizationUserCommand to streamline two-factor authentication policy validation logic --- .../ConfirmOrganizationUserCommand.cs | 51 ++++++++----------- 1 file changed, 20 insertions(+), 31 deletions(-) diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs index 7f53d598d9..9086a437a9 100644 --- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs +++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs @@ -153,19 +153,7 @@ public class ConfirmOrganizationUserCommand : IConfirmOrganizationUserCommand ICollection userOrgs, bool userTwoFactorEnabled) { // Enforce Two Factor Authentication Policy for this organization - if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements)) - { - await ValidateTwoFactorAuthenticationPolicyAsync(user, organizationId, userTwoFactorEnabled); - } - else - { - var orgRequiresTwoFactor = (await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication)) - .Any(p => p.OrganizationId == organizationId); - if (orgRequiresTwoFactor && !userTwoFactorEnabled) - { - throw new BadRequestException("User does not have two-step login enabled."); - } - } + await ValidateTwoFactorAuthenticationPolicyAsync(user, organizationId, userTwoFactorEnabled); var hasOtherOrgs = userOrgs.Any(ou => ou.OrganizationId != organizationId); var singleOrgPolicies = await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg); @@ -183,29 +171,30 @@ public class ConfirmOrganizationUserCommand : IConfirmOrganizationUserCommand } } - /// - /// Validates the two-factor authentication policy for the organization user. - /// If the policy applies to the organization, the user must have two-step login enabled. - /// - /// The user to validate the policy for. - /// The ID of the organization to validate the policy for. - /// Whether the user has two-step login enabled. - /// Thrown if the policy applies to the organization and - /// the user does not have two-step login enabled. private async Task ValidateTwoFactorAuthenticationPolicyAsync(User user, Guid organizationId, bool userTwoFactorEnabled) { - if (userTwoFactorEnabled) + if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements)) { - // If the user has two-step login enabled, we skip checking the 2FA policy - return; + if (userTwoFactorEnabled) + { + // If the user has two-step login enabled, we skip checking the 2FA policy + return; + } + + var twoFactorPolicyRequirement = await _policyRequirementQuery.GetAsync(user.Id); + if (twoFactorPolicyRequirement.IsTwoFactorRequiredForOrganization(organizationId)) + { + throw new BadRequestException("User does not have two-step login enabled."); + } } - - var twoFactorPolicyRequirement = await _policyRequirementQuery.GetAsync(user.Id); - var twoFactorRequired = twoFactorPolicyRequirement.IsTwoFactorRequiredForOrganization(organizationId); - - if (twoFactorRequired) + else { - throw new BadRequestException("User does not have two-step login enabled."); + var orgRequiresTwoFactor = (await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication)) + .Any(p => p.OrganizationId == organizationId); + if (orgRequiresTwoFactor && !userTwoFactorEnabled) + { + throw new BadRequestException("User does not have two-step login enabled."); + } } }