[PM-32594] Add authorization to admin-initiated sponsorship endpoints

[cturnbull-bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-32594

📔 Objective

Adds authorization checks to the AdminInitiatedRevokeSponsorshipAsync and ResendSponsorshipOffer endpoints in both the cloud and self-hosted sponsorship controllers. Previously, these endpoints only required [Authorize("Application")], meaning any authenticated user could call them regardless of their relationship to the
sponsoring organization.

Now uses [Authorize<ManageUsersRequirement>] to enforce that the caller is an Owner, Admin, or has the ManageUsers permission in the sponsoring organization — consistent with the existing GetSponsoredOrganizations endpoint and CreateSponsorshipCommand validation.

Route parameters on the affected endpoints were renamed from {sponsoringOrgId} to {organizationId} to work with the existing authorization handler infrastructure. The C# parameter names remain unchanged.

[claude]

Claude finished @cturnbull-bitwarden's task in 2m 20s —— View job

---

Pull Request Review: PM-32594 Add authorization to admin-initiated sponsorship endpoints

Summary

This PR fixes a security vulnerability (VULN-441) where the AdminInitiatedRevokeSponsorshipAsync and ResendSponsorshipOffer endpoints lacked proper organization-level authorization. Previously, any authenticated user could call these endpoints regardless of their relationship to the sponsoring organization.

Changes Reviewed

File	Type	Assessment
src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs	Security fix	Correct
src/Api/Controllers/SelfHosted/SelfHostedOrganizationSponsorshipsController.cs	Security fix	Correct
test/Api.IntegrationTest/Billing/Controllers/OrganizationSponsorshipsControllerTests.cs	Tests	Thorough

Analysis

Security fix is correct. The [Authorize<ManageUsersRequirement>] attribute leverages the existing OrganizationRequirementHandler, which extracts the organization ID from the route and verifies the caller is an Owner, Admin, Custom user with ManageUsers permission, or a Provider user for that specific organization. This prevents both unauthorized access and cross-organization attacks.

Route parameter renaming is necessary. The rename from {sponsoringOrgId} to {organizationId} is required because HttpContextExtensions.GetOrganizationId() only recognizes route values named orgId or organizationId. The [FromRoute(Name = "organizationId")] binding preserves the existing C# parameter names, and the actual URL structure remains unchanged for API consumers -- no breaking change.

Both deployment targets are covered. The cloud controller (OrganizationSponsorshipsController) and the self-hosted controller (SelfHostedOrganizationSponsorshipsController) are both updated. The self-hosted controller already has [Authorize("Application")] at the class level, so only the [Authorize<ManageUsersRequirement>] attribute was needed at the method level.

Test coverage is thorough. The 13 new integration tests cover both endpoints across all relevant authorization scenarios: non-member (forbidden), regular member without ManageUsers (forbidden), owner (allowed), admin (allowed), custom user with ManageUsers (allowed), and cross-organization attack (forbidden).

Verdict

No issues found. This is a focused, well-implemented security fix with excellent test coverage.

---

Reviewed by Claude (Anthropic) | Model: Opus 4.6

[github-actions]

Checkmarx One – Scan Summary & Details – fc1755ea-717e-496c-9fa8-38746827a226

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 293

[kdenney]

Looks good; just one question to confirm first.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.75%. Comparing base (ea1468d) to head (c677794).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7095      +/-   ##
==========================================
- Coverage   60.74%   56.75%   -3.99%     
==========================================
  Files        2026     2026              
  Lines       88681    88681              
  Branches     7905     7905              
==========================================
- Hits        53872    50334    -3538     
- Misses      32902    36518    +3616     
+ Partials     1907     1829      -78     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud