[PM-11404] Account Management: Prevent a verified user from purging their vault (#4853)

* Add check for managed user before purging account

* Rename IOrganizationRepository.GetByClaimedUserDomainAsync to GetByVerifiedUserEmailDomainAsync and refactor to return a list. Remove ManagedByOrganizationId from ProfileResponseMode. Add ManagesActiveUser to ProfileOrganizationResponseModel

* Rename the property ManagesActiveUser to UserIsManagedByOrganization

* Remove whole class #nullable enable and add it to specific places

* Remove unnecessary .ToList()

* Refactor IUserService methods GetOrganizationsManagingUserAsync and IsManagedByAnyOrganizationAsync to not return nullable objects. Update ProfileOrganizationResponseModel.UserIsManagedByOrganization to not be nullable

* Update error message when unable to purge vault for managed account

src/Core/Services/IUserService.cs

@@ -90,14 +90,20 @@ public interface IUserService
     /// Indicates if the user is managed by any organization.
     /// </summary>
     /// <remarks>
-    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
-    /// The organization must be enabled and be on an Enterprise plan.
+    /// A user is considered managed by an organization if their email domain matches one of the verified domains of that organization, and the user is a member of it.
+    /// The organization must be enabled and able to have verified domains.
     /// </remarks>
+    /// <returns>
+    /// False if the Account Deprovisioning feature flag is disabled.
+    /// </returns>
     Task<bool> IsManagedByAnyOrganizationAsync(Guid userId);
 
     /// <summary>
-    /// Gets the organization that manages the user.
+    /// Gets the organizations that manage the user.
     /// </summary>
+    /// <returns>
+    /// An empty collection if the Account Deprovisioning feature flag is disabled.
+    /// </returns>
     /// <inheritdoc cref="IsManagedByAnyOrganizationAsync(Guid)"/>
-    Task<Organization> GetOrganizationManagingUserAsync(Guid userId);
+    Task<IEnumerable<Organization>> GetOrganizationsManagingUserAsync(Guid userId);
 }

src/Core/Services/Implementations/UserService.cs

@@ -1267,18 +1267,24 @@ public class UserService : UserManager<User>, IUserService, IDisposable
 
     public async Task<bool> IsManagedByAnyOrganizationAsync(Guid userId)
     {
-        var managingOrganization = await GetOrganizationManagingUserAsync(userId);
-        return managingOrganization != null;
+        var managingOrganizations = await GetOrganizationsManagingUserAsync(userId);
+        return managingOrganizations.Any();
     }
 
-    public async Task<Organization> GetOrganizationManagingUserAsync(Guid userId)
+    public async Task<IEnumerable<Organization>> GetOrganizationsManagingUserAsync(Guid userId)
     {
-        // Users can only be managed by an Organization that is enabled and can have organization domains
-        var organization = await _organizationRepository.GetByClaimedUserDomainAsync(userId);
+        if (!_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
+        {
+            return Enumerable.Empty<Organization>();
+        }
 
+        // Get all organizations that have verified the user's email domain.
+        var organizationsWithVerifiedUserEmailDomain = await _organizationRepository.GetByVerifiedUserEmailDomainAsync(userId);
+
+        // Organizations must be enabled and able to have verified domains.
         // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
         // Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
-        return (organization is { Enabled: true, UseSso: true }) ? organization : null;
+        return organizationsWithVerifiedUserEmailDomain.Where(organization => organization is { Enabled: true, UseSso: true });
     }
 
     /// <inheritdoc cref="IsLegacyUser(string)"/>