[PM-39998] Omit org owner and admin Sends from policy enforcement#7982
[PM-39998] Omit org owner and admin Sends from policy enforcement#7982mcamirault wants to merge 2 commits into
Conversation
🤖 Bitwarden Claude Code ReviewOverall Assessment: REQUEST CHANGES This PR exempts org owners and admins from SendControls policy enforcement by fetching their user IDs via Code Review Details
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7982 +/- ##
==========================================
+ Coverage 62.03% 66.58% +4.54%
==========================================
Files 2276 2277 +1
Lines 99404 99456 +52
Branches 8980 8982 +2
==========================================
+ Hits 61667 66223 +4556
+ Misses 35565 30964 -4601
- Partials 2172 2269 +97 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
| var orgSendIds = await sendRepository.GetIdsByOrganizationIdAsync(postUpsertedPolicyState.OrganizationId); | ||
| // We fetch all of the owners and admins in the org so we can ignore their Sends when enforcing policy compliance | ||
| // This could be a heavy call in theory but in practice owners and admins should be a minority of org users | ||
| var orgOwnerAndAdminUserIds = (await orgUserRepository.GetManyByMinimumRoleAsync(postUpsertedPolicyState.OrganizationId, Core.Enums.OrganizationUserType.Admin)).Select(oud => oud.GetUserId()); |
There was a problem hiding this comment.
💭 At some point it would be good to collapse the verification of whether a Send is compliant, to the PolicyRequirement itself, which owns the concept of "given a policy and some domain data (the user trying to Send, the Send itself), is this valid?". This way if we change how the policy works, it'll "just work" for this side effect
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-39998
📔 Objective
For the new Manage Send policy we want org Owners and Admins to be exempt from its enforcement, including the disabling of existing Sends that are noncompliant with the policy. This PR adds a check that will exempt a user's Sends from being disabled if they are an Owner or Admin within the org that has set the policy.