[PM-15957] Fix: Domain Claim fails to enable Single Organization Policy, sends no emails and Revokes all users

[r-tome]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-15957

📔 Objective

The domain claim process has multiple critical issues:

1. Single Organization Policy is not enabled after claiming the domain.
2. Users are incorrectly revoked, including those not belonging to other organizations.
3. Notification emails are not sent to claimed accounts.

Root causes:

• OrganizationUser_SetStatusForUsersById was passing a JSON parameter to User_BumpAccountRevisionDateByOrganizationUserIds, which expects a GuidIdArray instead.
  • this is fixed by adding the new sproc User_BumpAccountRevisionDateByOrganizationUserIdsJson which expects the Json parameter and then modifying OrganizationUser_SetStatusForUsersById to call it.
• Revoking action is not filtering out users that are not members of other organizations.
  • this is fixed by updating SingleOrgPolicyValidator to filter out single organization users when checking which users should be revoked

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

Attention: Patch coverage is 87.50000% with 1 line in your changes missing coverage. Please review.

Project coverage is 42.91%. Comparing base (6d9c8d0) to head (495d20e).

Files with missing lines	Patch %	Lines
...icies/PolicyValidators/SingleOrgPolicyValidator.cs	87.50%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5147   +/-   ##
=======================================
  Coverage   42.91%   42.91%           
=======================================
  Files        1444     1444           
  Lines       66086    66092    +6     
  Branches     6056     6057    +1     
=======================================
+ Hits        28358    28363    +5     
  Misses      36446    36446           
- Partials     1282     1283    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Checkmarx One – Scan Summary & Details – d5a14678-9dfe-4fd9-87fc-de8a9ae2f5bf

New Issues

Severity	Issue	Source File / Package	Checkmarx Insight
	Missing_CSP_Header	/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs: 5	Attack Vector