diff --git a/src/Api/AdminConsole/Controllers/ProviderClientsController.cs b/src/Api/AdminConsole/Controllers/ProviderClientsController.cs index dfa698482679..602680b5bf86 100644 --- a/src/Api/AdminConsole/Controllers/ProviderClientsController.cs +++ b/src/Api/AdminConsole/Controllers/ProviderClientsController.cs @@ -107,6 +107,11 @@ public async Task UpdateAsync( return Error.NotFound(); } + if (providerOrganization.ProviderId != provider.Id) + { + return Error.NotFound(); + } + var clientOrganization = await organizationRepository.GetByIdAsync(providerOrganization.OrganizationId); if (clientOrganization is not { Status: OrganizationStatusType.Managed }) diff --git a/test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs index 259797dfb32b..5e573f6a6808 100644 --- a/test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs +++ b/test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs @@ -107,6 +107,7 @@ public async Task UpdateAsync_ServiceUserMakingPurchase_Unauthorized( organization.Seats = 10; organization.Status = OrganizationStatusType.Managed; requestBody.AssignedSeats = 20; + providerOrganization.ProviderId = provider.Id; ConfigureStableProviderServiceUserInputs(provider, sutProvider); @@ -128,6 +129,26 @@ public async Task UpdateAsync_ServiceUserMakingPurchase_Unauthorized( AssertUnauthorized(result, message: "Service users cannot purchase additional seats."); } + [Theory, BitAutoData] + public async Task UpdateAsync_ProviderOrganizationBelongsToDifferentProvider_NotFound( + Provider provider, + Guid providerOrganizationId, + UpdateClientOrganizationRequestBody requestBody, + ProviderOrganization providerOrganization, + SutProvider sutProvider) + { + ConfigureStableProviderServiceUserInputs(provider, sutProvider); + + providerOrganization.ProviderId = Guid.NewGuid(); + + sutProvider.GetDependency().GetByIdAsync(providerOrganizationId) + .Returns(providerOrganization); + + var result = await sutProvider.Sut.UpdateAsync(provider.Id, providerOrganizationId, requestBody); + + AssertNotFound(result); + } + [Theory, BitAutoData] public async Task UpdateAsync_Ok( Provider provider, @@ -141,6 +162,7 @@ public async Task UpdateAsync_Ok( organization.Seats = 10; organization.Status = OrganizationStatusType.Managed; requestBody.AssignedSeats = 20; + providerOrganization.ProviderId = provider.Id; ConfigureStableProviderServiceUserInputs(provider, sutProvider);