[PM-11404] Account Management: Prevent a verified user from purging their vault (#4853)

* Add check for managed user before purging account * Rename IOrganizationRepository.GetByClaimedUserDomainAsync to GetByVerifiedUserEmailDomainAsync and refactor to return a list. Remove ManagedByOrganizationId from ProfileResponseMode. Add ManagesActiveUser to ProfileOrganizationResponseModel * Rename the property ManagesActiveUser to UserIsManagedByOrganization * Remove whole class #nullable enable and add it to specific places * Remove unnecessary .ToList() * Refactor IUserService methods GetOrganizationsManagingUserAsync and IsManagedByAnyOrganizationAsync to not return nullable objects. Update ProfileOrganizationResponseModel.UserIsManagedByOrganization to not be nullable * Update error message when unable to purge vault for managed account
2025-07-02 16:42:50 -05:00 · 2024-10-17 16:06:32 +01:00
parent 245e2e4d52
commit d6cd73cfcc
15 changed files with 285 additions and 92 deletions
--- a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
@ -15,7 +15,10 @@ public class ProfileOrganizationResponseModel : ResponseModel
 {
    public ProfileOrganizationResponseModel(string str) : base(str) { }

-    public ProfileOrganizationResponseModel(OrganizationUserOrganizationDetails organization) : this("profileOrganization")
+    public ProfileOrganizationResponseModel(
+        OrganizationUserOrganizationDetails organization,
+        IEnumerable<Guid> organizationIdsManagingUser)
+        : this("profileOrganization")
    {
        Id = organization.OrganizationId;
        Name = organization.Name;
@ -64,6 +67,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
        AccessSecretsManager = organization.AccessSecretsManager;
        LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
        AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
+        UserIsManagedByOrganization = organizationIdsManagingUser.Contains(organization.OrganizationId);

        if (organization.SsoConfig != null)
        {
@ -122,4 +126,15 @@ public class ProfileOrganizationResponseModel : ResponseModel
    public bool AccessSecretsManager { get; set; }
    public bool LimitCollectionCreationDeletion { get; set; }
    public bool AllowAdminAccessToAllCollectionItems { get; set; }
+    /// <summary>
+    /// Indicates if the organization manages the user.
+    /// </summary>
+    /// <remarks>
+    /// An organization manages a user if the user's email domain is verified by the organization and the user is a member of it.
+    /// The organization must be enabled and able to have verified domains.
+    /// </remarks>
+    /// <returns>
+    /// False if the Account Deprovisioning feature flag is disabled.
+    /// </returns>
+    public bool UserIsManagedByOrganization { get; set; }
 }