[PM-34049] Fix PoliciesController authorize attribute

[eliykat]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-34049

📔 Objective

Fix for #7242, which added Authorize attributes to the PoliciesController.

GetMasterPasswordPolicy was updated to use the MemberRequirement, which assumes a confirmed member. This seemed appropriate because the member was being checked by UserId + OrgId, which matches a confirmed state. However, due to the invalid OrganizationUser provisioning bug, it actually matches invited users who need to set their password as well.

I have reverted the previous code, but moved it into an Authorize attribute in order to satisfy the tests (and more recent practices) of using attributes for authorization. This includes detailed xmldoc to explain this.

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – cc75e704-1c1c-4372-bde7-c323ba02f540

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

❌ Patch coverage is 94.73684% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 57.89%. Comparing base (15e71aa) to head (987f9e5).
⚠️ Report is 131 commits behind head on main.

Files with missing lines	Patch %	Lines
...sole/Authorization/OrgUserLinkedToUserIdHandler.cs	94.44%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##           main    #7303       +/-   ##
=========================================
+ Coverage      0   57.89%   +57.89%     
=========================================
  Files         0     2044     +2044     
  Lines         0    90068    +90068     
  Branches      0     8011     +8011     
=========================================
+ Hits          0    52148    +52148     
- Misses        0    36057    +36057     
- Partials      0     1863     +1863     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Overall Assessment: APPROVE

This PR fixes a regression from PR 7242 where the MemberRequirement authorization attribute on GetMasterPasswordPolicy blocked invited users who have a linked UserId due to the SSO JIT provisioning bug (PM-34092). The fix introduces a new OrgUserLinkedToUserIdRequirement that performs a direct database lookup by UserId and OrganizationId, restoring the previous behavior while following the attribute-based authorization pattern. The new handler is well-documented with clear warnings against expanding its usage, and integration tests thoroughly cover unauthenticated, non-member, confirmed member, and invited-with-linked-UserId scenarios.

Code Review Details

No findings identified. The implementation is clean, follows established authorization handler patterns in this codebase, and includes appropriate documentation marking this as a temporary workaround to be removed when PM-34092 is resolved.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud