From f9b7763d6d29d5b4c7f1d9c80ef0de7582746043 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Fri, 14 Nov 2025 11:43:10 -0500
Subject: [PATCH] [PM-28216] Add org ability check for one time dialog (#17372)

* add org ability check for one time dialog

* exclude providers (cautionary step) and add tests
---
 .../vault/individual-vault/vault.component.ts |   2 +-
 .../models/domain/organization.spec.ts        | 115 ++++++++++++++++++
 .../models/domain/organization.ts             |   8 ++
 3 files changed, 124 insertions(+), 1 deletion(-)

diff --git a/apps/web/src/app/vault/individual-vault/vault.component.ts b/apps/web/src/app/vault/individual-vault/vault.component.ts
index 07e810a0cbf..3b0a7a6f141 100644
--- a/apps/web/src/app/vault/individual-vault/vault.component.ts
+++ b/apps/web/src/app/vault/individual-vault/vault.component.ts
@@ -1623,7 +1623,7 @@ export class VaultComponent<C extends CipherViewLike> implements OnInit, OnDestr
             !policyEnabled &&
             autoConfirmState.showSetupDialog &&
             !!organization &&
-            (organization.canManageUsers || organization.canManagePolicies);
+            organization.canEnableAutoConfirmPolicy;
 
           if (showDialog) {
             await this.openAutoConfirmFeatureDialog(organization);
diff --git a/libs/common/src/admin-console/models/domain/organization.spec.ts b/libs/common/src/admin-console/models/domain/organization.spec.ts
index 2ce674dcb36..5765e84dfb2 100644
--- a/libs/common/src/admin-console/models/domain/organization.spec.ts
+++ b/libs/common/src/admin-console/models/domain/organization.spec.ts
@@ -32,6 +32,7 @@ describe("Organization", () => {
       useSecretsManager: true,
       usePasswordManager: true,
       useActivateAutofillPolicy: false,
+      useAutomaticUserConfirmation: false,
       selfHost: false,
       usersGetPremium: false,
       seats: 10,
@@ -179,4 +180,118 @@ describe("Organization", () => {
       expect(organization.canManageDeviceApprovals).toBe(true);
     });
   });
+
+  describe("canEnableAutoConfirmPolicy", () => {
+    it("should return false when user cannot manage users or policies", () => {
+      data.type = OrganizationUserType.User;
+      data.permissions.manageUsers = false;
+      data.permissions.managePolicies = false;
+      data.useAutomaticUserConfirmation = true;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(false);
+    });
+
+    it("should return false when user can manage users but useAutomaticUserConfirmation is false", () => {
+      data.type = OrganizationUserType.Admin;
+      data.useAutomaticUserConfirmation = false;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(false);
+    });
+
+    it("should return false when user has manageUsers permission but useAutomaticUserConfirmation is false", () => {
+      data.type = OrganizationUserType.User;
+      data.permissions.manageUsers = true;
+      data.useAutomaticUserConfirmation = false;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(false);
+    });
+
+    it("should return false when user can manage policies but useAutomaticUserConfirmation is false", () => {
+      data.type = OrganizationUserType.Admin;
+      data.usePolicies = true;
+      data.useAutomaticUserConfirmation = false;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(false);
+    });
+
+    it("should return false when user has managePolicies permission but usePolicies is false", () => {
+      data.type = OrganizationUserType.User;
+      data.permissions.managePolicies = true;
+      data.usePolicies = false;
+      data.useAutomaticUserConfirmation = true;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(false);
+    });
+
+    it("should return true when admin has useAutomaticUserConfirmation enabled", () => {
+      data.type = OrganizationUserType.Admin;
+      data.useAutomaticUserConfirmation = true;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(true);
+    });
+
+    it("should return true when owner has useAutomaticUserConfirmation enabled", () => {
+      data.type = OrganizationUserType.Owner;
+      data.useAutomaticUserConfirmation = true;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(true);
+    });
+
+    it("should return true when user has manageUsers permission and useAutomaticUserConfirmation is enabled", () => {
+      data.type = OrganizationUserType.User;
+      data.permissions.manageUsers = true;
+      data.useAutomaticUserConfirmation = true;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(true);
+    });
+
+    it("should return true when user has managePolicies permission, usePolicies is true, and useAutomaticUserConfirmation is enabled", () => {
+      data.type = OrganizationUserType.User;
+      data.permissions.managePolicies = true;
+      data.usePolicies = true;
+      data.useAutomaticUserConfirmation = true;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(true);
+    });
+
+    it("should return true when user has both manageUsers and managePolicies permissions with useAutomaticUserConfirmation enabled", () => {
+      data.type = OrganizationUserType.User;
+      data.permissions.manageUsers = true;
+      data.permissions.managePolicies = true;
+      data.usePolicies = true;
+      data.useAutomaticUserConfirmation = true;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(true);
+    });
+
+    it("should return false when provider user has useAutomaticUserConfirmation enabled", () => {
+      data.type = OrganizationUserType.Owner;
+      data.isProviderUser = true;
+      data.useAutomaticUserConfirmation = true;
+
+      const organization = new Organization(data);
+
+      expect(organization.canEnableAutoConfirmPolicy).toBe(false);
+    });
+  });
 });
diff --git a/libs/common/src/admin-console/models/domain/organization.ts b/libs/common/src/admin-console/models/domain/organization.ts
index 55682e62357..458ae1e8f0c 100644
--- a/libs/common/src/admin-console/models/domain/organization.ts
+++ b/libs/common/src/admin-console/models/domain/organization.ts
@@ -310,6 +310,14 @@ export class Organization {
     return this.isAdmin || this.permissions.manageResetPassword;
   }
 
+  get canEnableAutoConfirmPolicy() {
+    return (
+      (this.canManageUsers || this.canManagePolicies) &&
+      this.useAutomaticUserConfirmation &&
+      !this.isProviderUser
+    );
+  }
+
   get canManageDeviceApprovals() {
     return (
       (this.isAdmin || this.permissions.manageResetPassword) &&