From fd46e388947f1f0726f49273e93e7660c9a3439c Mon Sep 17 00:00:00 2001 From: JaredScar Date: Mon, 9 Mar 2026 14:52:32 -0400 Subject: [PATCH 1/2] fix(controller): add null check for provider organization ID in ProviderClientsController --- .../AdminConsole/Controllers/ProviderClientsController.cs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/Api/AdminConsole/Controllers/ProviderClientsController.cs b/src/Api/AdminConsole/Controllers/ProviderClientsController.cs index dfa698482679..602680b5bf86 100644 --- a/src/Api/AdminConsole/Controllers/ProviderClientsController.cs +++ b/src/Api/AdminConsole/Controllers/ProviderClientsController.cs @@ -107,6 +107,11 @@ public async Task UpdateAsync( return Error.NotFound(); } + if (providerOrganization.ProviderId != provider.Id) + { + return Error.NotFound(); + } + var clientOrganization = await organizationRepository.GetByIdAsync(providerOrganization.OrganizationId); if (clientOrganization is not { Status: OrganizationStatusType.Managed }) From 52e517255f91466c98ded261e2baad16bc6e411b Mon Sep 17 00:00:00 2001 From: JaredScar Date: Mon, 9 Mar 2026 15:11:23 -0400 Subject: [PATCH 2/2] feat(tests): add test for updating provider organization with different provider ID --- .../ProviderClientsControllerTests.cs | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs index 259797dfb32b..5e573f6a6808 100644 --- a/test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs +++ b/test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs @@ -107,6 +107,7 @@ public async Task UpdateAsync_ServiceUserMakingPurchase_Unauthorized( organization.Seats = 10; organization.Status = OrganizationStatusType.Managed; requestBody.AssignedSeats = 20; + providerOrganization.ProviderId = provider.Id; ConfigureStableProviderServiceUserInputs(provider, sutProvider); @@ -128,6 +129,26 @@ public async Task UpdateAsync_ServiceUserMakingPurchase_Unauthorized( AssertUnauthorized(result, message: "Service users cannot purchase additional seats."); } + [Theory, BitAutoData] + public async Task UpdateAsync_ProviderOrganizationBelongsToDifferentProvider_NotFound( + Provider provider, + Guid providerOrganizationId, + UpdateClientOrganizationRequestBody requestBody, + ProviderOrganization providerOrganization, + SutProvider sutProvider) + { + ConfigureStableProviderServiceUserInputs(provider, sutProvider); + + providerOrganization.ProviderId = Guid.NewGuid(); + + sutProvider.GetDependency().GetByIdAsync(providerOrganizationId) + .Returns(providerOrganization); + + var result = await sutProvider.Sut.UpdateAsync(provider.Id, providerOrganizationId, requestBody); + + AssertNotFound(result); + } + [Theory, BitAutoData] public async Task UpdateAsync_Ok( Provider provider, @@ -141,6 +162,7 @@ public async Task UpdateAsync_Ok( organization.Seats = 10; organization.Status = OrganizationStatusType.Managed; requestBody.AssignedSeats = 20; + providerOrganization.ProviderId = provider.Id; ConfigureStableProviderServiceUserInputs(provider, sutProvider);