Skip to content

[PM-22236] Fix invited accounts stuck in intermediate claimed status #6810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eliykat wants to merge 9 commits into
base: main
Choose a base branch
from
+606 โˆ’455
Open

[PM-22236] Fix invited accounts stuck in intermediate claimed status #6810

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
8c68a2d
Exclude invited users from claimed domain check
eliykat Jan 8, 2026
eed9e78
Move tests to their own file
eliykat Jan 8, 2026
7d1e8b9
Use helper methods
eliykat Jan 8, 2026
ec7b2b9
Fix list query
eliykat Jan 8, 2026
570bfaa
dotnet format
eliykat Jan 8, 2026
ee4bb73
Merge remote-tracking branch 'origin/main' into ac/pm-22236/server-clโ€ฆ
eliykat Jan 12, 2026
9505309
bump dates
eliykat Jan 12, 2026
96f25fd
Remove unnecessary select *
eliykat Jan 12, 2026
d9ca9df
Add comments
eliykat Jan 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
Task<IEnumerable<string>> GetOwnerEmailAddressesById(Guid organizationId);

/// <summary>
/// Gets the organizations that have a verified domain matching the user's email domain.
/// Gets the organizations that have claimed the user's account. Currently, only one organization may claim a user.
/// This requires that the organization has claimed the user's domain and the user is an organization member.
/// It excludes invited members.
/// </summary>
Task<ICollection<Organization>> GetByVerifiedUserEmailDomainAsync(Guid userId);

Expand Down
3 changes: 2 additions & 1 deletion src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,8 @@ join od in dbContext.OrganizationDomains on ou.OrganizationId equals od.Organiza
where ou.UserId == userWithDomain.UserId &&
od.DomainName == userWithDomain.EmailDomain &&
od.VerifiedDate != null &&
o.Enabled == true
o.Enabled == true &&
ou.Status != OrganizationUserStatusType.Invited
Copy link
Contributor

@JimmyVo16 JimmyVo16 Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just thinking out loud here lol:

Iโ€™ve noticed we have a few cases where we exclude certain collection types or user types. I agree that we should do filtering in the database to leverage the query optimizer and reduce sending unnecessary data over the network. However, I wonder if we could configure the sproc's parameters to include only the types we want returned. That way, we can control the types from the app in the future, reduce the need for an extra deployment, and avoid potential backward compatibility issues.

That said, this does add upfront complexity to the sproc for a situation that might never happen.

Copy link
Member Author

@eliykat eliykat Jan 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do that in some sprocs, but here the status is closely tied to the purpose of the sproc: it's dealing with claimed accounts, and you can't claim an invited user's account. I would say this is a case where it should not be parameterized.

select o;

return await query.ToArrayAsync();
Expand Down
2 changes: 2 additions & 0 deletions ...dminConsole/Repositories/Queries/OrganizationUserReadByClaimedOrganizationDomainsQuery.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
๏ปฟusing Bit.Core.Entities;
using Bit.Core.Enums;

namespace Bit.Infrastructure.EntityFramework.Repositories.Queries;

Expand All @@ -16,6 +17,7 @@ public IQueryable<OrganizationUser> Run(DatabaseContext dbContext)
var query = from ou in dbContext.OrganizationUsers
join u in dbContext.Users on ou.UserId equals u.Id
where ou.OrganizationId == _organizationId
&& ou.Status != OrganizationUserStatusType.Invited
&& dbContext.OrganizationDomains
.Any(od => od.OrganizationId == _organizationId &&
od.VerifiedDate != null &&
Expand Down
3 changes: 2 additions & 1 deletion src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByOrganizationIdWithClaimedDomains_V2.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,14 @@ BEGIN
SELECT *
FROM [dbo].[OrganizationUserView]
WHERE [OrganizationId] = @OrganizationId
AND [Status] != 0 -- Exclude invited users
),
UserDomains AS (
SELECT U.[Id], U.[EmailDomain]
FROM [dbo].[UserEmailDomainView] U
WHERE EXISTS (
SELECT 1
FROM [dbo].[OrganizationDomainView] OD
FROM [dbo].[OrganizationDomainView] OD
WHERE OD.[OrganizationId] = @OrganizationId
AND OD.[VerifiedDate] IS NOT NULL
AND OD.[DomainName] = U.[EmailDomain]
Expand Down
3 changes: 2 additions & 1 deletion src/Sql/dbo/Stored Procedures/Organization_ReadByClaimedUserEmailDomain.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ BEGIN

WITH CTE_User AS (
SELECT
U.*,
U.[Id],
SUBSTRING(U.Email, CHARINDEX('@', U.Email) + 1, LEN(U.Email)) AS EmailDomain
FROM dbo.[UserView] U
WHERE U.[Id] = @UserId
Expand All @@ -19,4 +19,5 @@ BEGIN
WHERE OD.[VerifiedDate] IS NOT NULL
AND CU.EmailDomain = OD.[DomainName]
AND O.[Enabled] = 1
AND OU.[Status] != 0 -- Exclude invited users
END
Loading
Loading