Ensure org user belongs to org they're being invited to (#6937)

2026-02-08 18:03:11 +08:00 · 2026-02-05 14:44:59 -06:00
parent ef37f3d3dd
commit 3e21d12202
2 changed files with 47 additions and 6 deletions
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
@@ -121,10 +121,37 @@ public class OrganizationUsersControllerTests

    [Theory]
    [BitAutoData]
-    public async Task Accept_NoMasterPasswordReset(Guid orgId, Guid orgUserId,
-        OrganizationUserAcceptRequestModel model, User user, SutProvider<OrganizationUsersController> sutProvider)
+    public async Task Accept_WhenOrganizationUserNotFound_ThrowsNotFoundException(
+        Guid orgId, Guid orgUserId, OrganizationUserAcceptRequestModel model, User user,
+        SutProvider<OrganizationUsersController> sutProvider)
    {
        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns((OrganizationUser)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Accept(orgId, orgUserId, model));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Accept_WhenOrganizationIdMismatch_ThrowsNotFoundException(
+        Guid orgId, Guid orgUserId, OrganizationUserAcceptRequestModel model, User user, OrganizationUser organizationUser,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        organizationUser.OrganizationId = Guid.NewGuid(); // Different org ID
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns(organizationUser);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Accept(orgId, orgUserId, model));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Accept_NoMasterPasswordReset(Guid orgId, Guid orgUserId,
+        OrganizationUserAcceptRequestModel model, User user, OrganizationUser organizationUser, SutProvider<OrganizationUsersController> sutProvider)
+    {
+        organizationUser.OrganizationId = orgId;
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns(organizationUser);

        await sutProvider.Sut.Accept(orgId, orgUserId, model);

@@ -137,17 +164,19 @@ public class OrganizationUsersControllerTests
    [Theory]
    [BitAutoData]
    public async Task Accept_WhenOrganizationUsePoliciesIsEnabledAndResetPolicyIsEnabled_ShouldHandleResetPassword(Guid orgId, Guid orgUserId,
-        OrganizationUserAcceptRequestModel model, User user,
+        OrganizationUserAcceptRequestModel model, User user, OrganizationUser organizationUser,
        [Policy(PolicyType.ResetPassword, true)] PolicyStatus policy,
        SutProvider<OrganizationUsersController> sutProvider)
    {
        // Arrange
+        organizationUser.OrganizationId = orgId;
        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
        applicationCacheService.GetOrganizationAbilityAsync(orgId).Returns(new OrganizationAbility { UsePolicies = true });

        policy.Data = CoreHelpers.ClassToJsonData(new ResetPasswordDataModel { AutoEnrollEnabled = true, });
        var userService = sutProvider.GetDependency<IUserService>();
        userService.GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns(organizationUser);

        var policyQuery = sutProvider.GetDependency<IPolicyQuery>();
        policyQuery.RunAsync(orgId,
@@ -171,17 +200,19 @@ public class OrganizationUsersControllerTests
    [Theory]
    [BitAutoData]
    public async Task Accept_WhenOrganizationUsePoliciesIsDisabled_ShouldNotHandleResetPassword(Guid orgId, Guid orgUserId,
-        OrganizationUserAcceptRequestModel model, User user,
+        OrganizationUserAcceptRequestModel model, User user, OrganizationUser organizationUser,
        [Policy(PolicyType.ResetPassword, true)] PolicyStatus policy,
        SutProvider<OrganizationUsersController> sutProvider)
    {
        // Arrange
+        organizationUser.OrganizationId = orgId;
        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
        applicationCacheService.GetOrganizationAbilityAsync(orgId).Returns(new OrganizationAbility { UsePolicies = false });

        policy.Data = CoreHelpers.ClassToJsonData(new ResetPasswordDataModel { AutoEnrollEnabled = true, });
        var userService = sutProvider.GetDependency<IUserService>();
        userService.GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns(organizationUser);

        var policyQuery = sutProvider.GetDependency<IPolicyQuery>();
        policyQuery.RunAsync(orgId,
@@ -360,13 +391,15 @@ public class OrganizationUsersControllerTests
    [Theory]
    [BitAutoData]
    public async Task Accept_WhenOrganizationUsePoliciesIsEnabledAndResetPolicyIsEnabled_WithPolicyRequirementsEnabled_ShouldHandleResetPassword(Guid orgId, Guid orgUserId,
-        OrganizationUserAcceptRequestModel model, User user, SutProvider<OrganizationUsersController> sutProvider)
+        OrganizationUserAcceptRequestModel model, User user, OrganizationUser organizationUser, SutProvider<OrganizationUsersController> sutProvider)
    {
        // Arrange
+        organizationUser.OrganizationId = orgId;
        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
        applicationCacheService.GetOrganizationAbilityAsync(orgId).Returns(new OrganizationAbility { UsePolicies = true });

        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns(organizationUser);

        var policy = new Policy
        {
@@ -403,14 +436,16 @@ public class OrganizationUsersControllerTests
    [Theory]
    [BitAutoData]
    public async Task Accept_WithInvalidModelResetPasswordKey_WithPolicyRequirementsEnabled_ThrowsBadRequestException(Guid orgId, Guid orgUserId,
-        OrganizationUserAcceptRequestModel model, User user, SutProvider<OrganizationUsersController> sutProvider)
+        OrganizationUserAcceptRequestModel model, User user, OrganizationUser organizationUser, SutProvider<OrganizationUsersController> sutProvider)
    {
        // Arrange
        model.ResetPasswordKey = " ";
+        organizationUser.OrganizationId = orgId;
        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
        applicationCacheService.GetOrganizationAbilityAsync(orgId).Returns(new OrganizationAbility { UsePolicies = true });

        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns(organizationUser);

        var policy = new Policy
        {