changed request

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommand.cs

@@ -270,7 +270,7 @@ public class AcceptOrgUserCommand : IAcceptOrgUserCommand
         ICollection<OrganizationUser> allOrgUsers, User user)
     {
         var error = (await _automaticUserConfirmationPolicyEnforcementValidator.IsCompliantAsync(
-                new AutomaticUserConfirmationPolicyEnforcementRequest(orgUser, allOrgUsers, user)))
+                new AutomaticUserConfirmationPolicyEnforcementRequest(orgUser.Id, allOrgUsers, user)))
             .Match(
                 error => error.Message,
                 _ => string.Empty

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUsersValidator.cs

@@ -82,10 +82,8 @@ public class AutomaticallyConfirmOrganizationUsersValidator(
     private async Task<bool> OrganizationUserIsProviderAsync(AutomaticallyConfirmOrganizationUserValidationRequest request) =>
         (await providerUserRepository.GetManyByUserAsync(request.OrganizationUser!.UserId!.Value)).Count != 0;
 
-    private async Task<bool> OrganizationHasAutomaticallyConfirmUsersPolicyEnabledAsync(
-            AutomaticallyConfirmOrganizationUserValidationRequest request) =>
-        await policyRepository.GetByOrganizationIdTypeAsync(request.OrganizationId,
-            PolicyType.AutomaticUserConfirmation) is { Enabled: true }
+    private async Task<bool> OrganizationHasAutomaticallyConfirmUsersPolicyEnabledAsync(AutomaticallyConfirmOrganizationUserValidationRequest request) =>
+        await policyRepository.GetByOrganizationIdTypeAsync(request.OrganizationId, PolicyType.AutomaticUserConfirmation) is { Enabled: true }
         && request.Organization is { UseAutomaticUserConfirmation: true };
 
     private async Task<bool> OrganizationUserConformsToTwoFactorRequiredPolicyAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/Errors.cs

@@ -12,3 +12,4 @@ public record OrganizationEnforcesSingleOrgPolicy() : BadRequestError("Cannot co
 public record OtherOrganizationEnforcesSingleOrgPolicy() : BadRequestError("Cannot confirm this member to the organization because they are in another organization which forbids it.");
 public record AutomaticallyConfirmUsersPolicyIsNotEnabled() : BadRequestError("Cannot confirm this member because the Automatically Confirm Users policy is not enabled.");
 public record ProviderUsersCannotJoin() : BadRequestError("An organization the user is a part of has enabled Automatic User Confirmation policy and it does not support provider users joining.");
+public record CurrentOrganizationUserIsNotPresentInRequest() : BadRequestError("The current organization user does not exist in the request.");

src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/AutomaticUserConfirmationPolicyEnforcementRequest.cs

@@ -8,14 +8,14 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoCo
 public record AutomaticUserConfirmationPolicyEnforcementRequest
 {
     /// <summary>
-    /// Organization user to be confirmed to be confirmed
+    /// Organization user to be validated
     /// </summary>
-    public OrganizationUser OrganizationUser { get; }
+    public Guid OrganizationUserId { get; }
+
     /// <summary>
-    /// Collection of organization users that match the provided user. This must be populated with organizations users associated with the
-    /// organization user to confirm.
+    /// All organization users that match the provided user.
     /// </summary>
-    public IEnumerable<OrganizationUser> OtherOrganizationsOrganizationUsers { get; }
+    public IEnumerable<OrganizationUser> AllOrganizationUsers { get; }
     /// <summary>
     /// User associated with the organization user to be confirmed
     /// </summary>
@@ -26,18 +26,17 @@ public record AutomaticUserConfirmationPolicyEnforcementRequest
     /// </summary>
     /// <remarks>
     /// This record is used to encapsulate the data required for handling the automatic confirmation policy enforcement.
-    ///
     /// </remarks>
-    /// <param name="organizationUserToValidate">The organization user to be validated within the current organization context.</param>
-    /// <param name="organizationUsersForOtherOrganizations">THIS MUST BE POPULATED CORRECTLY. A collection of organization user records that match the provided user.</param>
+    /// <param name="organizationUserId">The organization user id to be validated.</param>
+    /// <param name="organizationUsers">All organization users that match the provided user.</param>
     /// <param name="user">The general user associated with the operation.</param>
     public AutomaticUserConfirmationPolicyEnforcementRequest(
-        OrganizationUser organizationUserToValidate,
-        IEnumerable<OrganizationUser> organizationUsersForOtherOrganizations,
+        Guid organizationUserId,
+        IEnumerable<OrganizationUser> organizationUsers,
         User user)
     {
-        OrganizationUser = organizationUserToValidate;
-        OtherOrganizationsOrganizationUsers = organizationUsersForOtherOrganizations;
+        OrganizationUserId = organizationUserId;
+        AllOrganizationUsers = organizationUsers;
         User = user;
     }
 }

src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/AutomaticUserConfirmationPolicyEnforcementValidator.cs

@@ -1,12 +1,14 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Utilities.v2.Validation;
 using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;
 
 public class AutomaticUserConfirmationPolicyEnforcementValidator(
-    IPolicyRequirementQuery policyRequirementQuery)
+    IPolicyRequirementQuery policyRequirementQuery,
+    IProviderUserRepository providerUserRepository)
     : IAutomaticUserConfirmationPolicyEnforcementValidator
 {
     public async Task<ValidationResult<AutomaticUserConfirmationPolicyEnforcementRequest>> IsCompliantAsync(
@@ -15,27 +17,31 @@ public class AutomaticUserConfirmationPolicyEnforcementValidator(
         var automaticUserConfirmationPolicyRequirement = await policyRequirementQuery
             .GetAsync<AutomaticUserConfirmationPolicyRequirement>(request.User.Id);
 
-        if (automaticUserConfirmationPolicyRequirement.IsEnabled(request.OrganizationUser.OrganizationId)
-            && OrganizationUserBelongsToAnotherOrganization(request))
+        var currentOrganizationUser = request.AllOrganizationUsers
+            .FirstOrDefault(x => x.Id == request.OrganizationUserId);
+
+        if (currentOrganizationUser is null)
+        {
+            return Invalid(request, new CurrentOrganizationUserIsNotPresentInRequest());
+        }
+
+        if (automaticUserConfirmationPolicyRequirement.IsEnabled(currentOrganizationUser.OrganizationId)
+            && automaticUserConfirmationPolicyRequirement.UserBelongsToOrganizationWithAutomaticUserConfirmationEnabled())
         {
             return Invalid(request, new OrganizationEnforcesSingleOrgPolicy());
         }
 
-        if (automaticUserConfirmationPolicyRequirement.IsEnabledAndUserIsAProvider(request.OrganizationUser.OrganizationId))
-        {
-            return Invalid(request, new ProviderUsersCannotJoin());
-        }
-
         if (automaticUserConfirmationPolicyRequirement
-            .IsEnabledForOrganizationsOtherThan(request.OrganizationUser.OrganizationId))
+            .IsEnabledForOrganizationsOtherThan(currentOrganizationUser.OrganizationId))
         {
             return Invalid(request, new OtherOrganizationEnforcesSingleOrgPolicy());
         }
 
+        if ((await providerUserRepository.GetManyByUserAsync(request.User.Id)).Count != 0)
+        {
+            return Invalid(request, new ProviderUsersCannotJoin());
+        }
+
         return Valid(request);
     }
-
-    private static bool OrganizationUserBelongsToAnotherOrganization(AutomaticUserConfirmationPolicyEnforcementRequest request) =>
-        request.OtherOrganizationsOrganizationUsers.Any(ou =>
-            ou.OrganizationId != request.OrganizationUser.OrganizationId);
 }

src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/IAutomaticUserConfirmationPolicyEnforcementValidator.cs

@@ -15,9 +15,9 @@ public interface IAutomaticUserConfirmationPolicyEnforcementValidator
     /// <summary>
     /// Checks if the given user is compliant with the Automatic User Confirmation policy.
     ///
-    /// To be compliant a user must
-    /// - not be a provider
-    /// - not be a member of another organization (similar to Single Organization Policy)
+    /// To be compliant, a user must
+    /// - not be a member of a provider
+    /// - not be a member of another organization
     /// </summary>
     /// <param name="request"></param>
     /// <remarks>

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/AutomaticUserConfirmationPolicyRequirement.cs

@@ -25,9 +25,6 @@ public class AutomaticUserConfirmationPolicyRequirement(IEnumerable<PolicyDetail
 
     public bool IsEnabled(Guid organizationId) => policyDetails.Any(p => p.OrganizationId == organizationId);
 
-    public bool IsEnabledAndUserIsAProvider(Guid organizationId) =>
-        policyDetails.Any(p => p.OrganizationId == organizationId && p.IsProvider);
-
     public bool IsEnabledForOrganizationsOtherThan(Guid organizationId) =>
         policyDetails.Any(p => p.OrganizationId != organizationId);
 }