[PM-35253] Add organization ability UseInviteLinks by r-tome · Pull Request #7489 · bitwarden/server

r-tome · 2026-04-17T13:00:26Z

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-35253

📔 Objective

Add the new organization ability UseInviteLinks across the server (schema/migrations, domain + licensing, API models, and tests).

A database data migration is included to enable UseInviteLinks for existing Enterprise organizations.

Related Pricing Service changes: https://github.com/bitwarden/billing-pricing/pull/103
Related Clients changes: bitwarden/clients#20227

… models

github-actions · 2026-04-17T13:01:16Z

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR adds the UseInviteLinks organization ability end-to-end across the server: MSSQL schema (table, stored procedures, views), EF migrations for MySQL/Postgres/SQLite, the Organization entity, licensing claims and verification, API response models, plan features, and the OrganizationAbility projection. It includes a batched MSSQL data migration (with EF equivalents) to enable the feature for existing Enterprise organizations across all historical plan types (4, 5, 10, 11, 14, 15, 19, 20), and adds integration tests validating the migration applies correctly to Enterprise plans and not to non-Enterprise plans, with idempotency coverage.

Code Review Details

No actionable findings. The implementation follows the established pattern for similar recently-added abilities (UseMyItems, UsePhishingBlocker, UseDisableSmAdsForUsers):

License hash exclusion is correctly added in OrganizationLicense.GetDataBytes alongside the other post-v15 claims, preserving backward compatibility with older license files.
VerifyData uses the HasClaim guard pattern so older licenses without the UseInviteLinks claim still validate.
The SQL data migration is batched (TOP (@BatchSize) with a self-converging UseInviteLinks = 0 predicate) and the reviewer has already validated runtime (~1 minute against backup).
Column ordering in Organization.sql was addressed in the prior review thread (now placed after ExemptFromBillingAutomation).
PlanType integer literals in the data migrations match the PlanType enum for all Enterprise variants.

…ability

github-actions · 2026-04-17T13:15:43Z

Checkmarx One – Scan Summary & Details – c1e4e971-f54f-400c-b5fd-18ebbb065304

New Issues (9)

Checkmarx found the following issues in this Pull Request

#	Issue	Source File / Package	Checkmarx Insight
1	CSRF	src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 393	details Method at line 393 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
2	CSRF	src/Api/AdminConsole/Controllers/GroupsController.cs: 151	details Method at line 151 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
3	CSRF	src/Api/AdminConsole/Controllers/GroupsController.cs: 127	details Method at line 127 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
4	CSRF	src/Api/AdminConsole/Public/Controllers/MembersController.cs: 232	details Method at line 232 of /src/Api/AdminConsole/Public/Controllers/MembersController.cs gets a parameter from a user request from model. This parame... Attack Vector
5	CSRF	src/Api/AdminConsole/Controllers/GroupsController.cs: 275	details Method at line 275 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from orgUserId. This parameter ... Attack Vector
6	CSRF	src/Api/AdminConsole/Public/Controllers/MembersController.cs: 269	details Method at line 269 of /src/Api/AdminConsole/Public/Controllers/MembersController.cs gets a parameter from a user request from model. This parame... Attack Vector
7	CSRF	src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 167	details Method at line 167 of /src/Api/AdminConsole/Public/Controllers/GroupsController.cs gets a parameter from a user request from model. This paramet... Attack Vector
8	CSRF	src/Api/Vault/Controllers/CiphersController.cs: 1558	details Method at line 1558 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
9	CSRF	src/Api/Vault/Controllers/CiphersController.cs: 1385	details Method at line 1385 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

Fixed Issues (7)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CSRF~~	src/Api/AdminConsole/Controllers/GroupsController.cs: 275
	~~CSRF~~	src/Api/AdminConsole/Controllers/GroupsController.cs: 127
	~~CSRF~~	src/Api/AdminConsole/Controllers/GroupsController.cs: 151
	~~CSRF~~	src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 393
	~~CSRF~~	src/Api/AdminConsole/Public/Controllers/MembersController.cs: 232
	~~CSRF~~	src/Api/AdminConsole/Public/Controllers/MembersController.cs: 269
	~~CSRF~~	src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 164

codecov · 2026-04-17T13:15:57Z

Codecov Report

❌ Patch coverage is 97.29730% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 63.88%. Comparing base (27ae3d5) to head (a8a8c26).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
.../Core/AdminConsole/Services/OrganizationFactory.cs	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7489      +/-   ##
==========================================
+ Coverage   63.87%   63.88%   +0.01%     
==========================================
  Files        2088     2088              
  Lines       92350    92383      +33     
  Branches     8205     8205              
==========================================
+ Hits        58987    59019      +32     
- Misses      31337    31338       +1     
  Partials     2026     2026

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

…yIds

…ttps://github.com/bitwarden/server into ac/pm-35253/add-useinvitelinks-organization-ability

mkincaid-bw · 2026-04-17T15:17:17Z

    [UsePhishingBlocker]            BIT              NOT NULL CONSTRAINT [DF_Organization_UsePhishingBlocker] DEFAULT (0),
    [UseDisableSmAdsForUsers]       BIT              NOT NULL CONSTRAINT [DF_Organization_UseDisableSmAdsForUsers] DEFAULT (0),
    [UseMyItems]                    BIT              NOT NULL CONSTRAINT [DF_Organization_UseMyItems] DEFAULT (0),
+    [UseInviteLinks]                BIT              NOT NULL CONSTRAINT [DF_Organization_UseInviteLinks] DEFAULT (0),


❓ PR 7438 has /util/Migrator/DbScripts/2026-04-10_02_AddExemptFromBillingAutomation.sql, which adds the ExemptFromBillingAutomation column to this table. If this PR is deployed with the same release (or later) as PR 7438, the columns will be out of order. Do you know if this deployment will happen before 7438? If not, then the UseInviteLinks column should be placed after the ExemptFromBillingAutomation, and the other objects should be adjusted as well.

@mkincaid-bw well observed! I have fixed the order of the columns by putting UseInviteLinks after ExemptFromBillingAutomation

…ability

…vitelinks-organization-ability

mkincaid-bw

LGTM

mkincaid-bw · 2026-04-21T15:46:38Z

+
+WHILE @RowsAffected > 0
+    BEGIN
+        UPDATE TOP (@BatchSize) [dbo].[Organization]


Note: I tested this against a backup and it took about a minute to run.

…ability

sonarqubecloud · 2026-04-30T08:29:44Z

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
55.8% Duplication on New Code

See analysis details on SonarQube Cloud

r-tome added 7 commits April 17, 2026 13:48

Add UseInviteLinks to Organization SQL schema and views

4aafafc

Add Migrator scripts for UseInviteLinks column and data migration

030ecb8

Add EF migrations for UseInviteLinks on Organization

1756daa

Wire UseInviteLinks through organization domain and repositories

d2e0917

Add HasInviteLinks plan support and UseInviteLinks license handling

deaf859

Expose UseInviteLinks and HasInviteLinks on organization and plan API…

4e2edad

… models

Update tests for UseInviteLinks and invite-links plan feature

9a6a27e

r-tome added the ai-review-vnext Request a Claude code review using the vNext workflow label Apr 17, 2026

r-tome mentioned this pull request Apr 17, 2026

[PM-35253] Add organization ability UseInviteLinks bitwarden/clients#20227

Merged

Merge branch 'main' into ac/pm-35253/add-useinvitelinks-organization-…

fca9aaf

…ability

r-tome added 2 commits April 17, 2026 14:17

Update migration script with missing update to Organization_ReadManyB…

a35f09a

…yIds

Merge branch 'ac/pm-35253/add-useinvitelinks-organization-ability' of h…

78c1b81

…ttps://github.com/bitwarden/server into ac/pm-35253/add-useinvitelinks-organization-ability

r-tome marked this pull request as ready for review April 17, 2026 13:34

r-tome requested review from a team as code owners April 17, 2026 13:34

r-tome requested review from JimmyVo16 and amorask-bitwarden April 17, 2026 13:34

r-tome added the needs-qa label Apr 17, 2026

mkincaid-bw reviewed Apr 17, 2026

View reviewed changes

JimmyVo16 previously approved these changes Apr 17, 2026

View reviewed changes

r-tome added 3 commits April 21, 2026 13:50

Merge branch 'main' into ac/pm-35253/add-useinvitelinks-organization-…

ae6c7c2

…ability

Merge remote-tracking branch 'origin/main' into ac/pm-35253/add-usein…

9b5e5e0

…vitelinks-organization-ability

Move UseInviteLinks column after ExemptFromBillingAutomation

95ab7da

r-tome dismissed JimmyVo16’s stale review via 95ab7da April 21, 2026 13:09

r-tome requested a review from mkincaid-bw April 21, 2026 13:31

amorask-bitwarden previously approved these changes Apr 21, 2026

View reviewed changes

mkincaid-bw previously approved these changes Apr 21, 2026

View reviewed changes

r-tome added 2 commits April 22, 2026 15:19

Merge branch 'main' into ac/pm-35253/add-useinvitelinks-organization-…

3ab5864

…ability

Merge branch 'main' into ac/pm-35253/add-useinvitelinks-organization-…

2c03c9b

…ability

r-tome removed ai-review-vnext Request a Claude code review using the vNext workflow needs-qa labels Apr 28, 2026

r-tome and others added 4 commits April 28, 2026 12:48

Merge branch 'main' into ac/pm-35253/add-useinvitelinks-organization-…

738c81d

…ability

Merge branch 'main' into ac/pm-35253/add-useinvitelinks-organization-…

a0e341a

…ability

Merge branch 'main' into ac/pm-35253/add-useinvitelinks-organization-…

bb6ba64

…ability

Bump date on migration scripts

90acb7b

r-tome dismissed stale reviews from mkincaid-bw and amorask-bitwarden via 90acb7b April 29, 2026 12:11

r-tome requested review from JimmyVo16, amorask-bitwarden and mkincaid-bw April 29, 2026 14:37

JimmyVo16 approved these changes Apr 29, 2026

View reviewed changes

mkincaid-bw approved these changes Apr 29, 2026

View reviewed changes

Merge branch 'main' into ac/pm-35253/add-useinvitelinks-organization-…

5265231

…ability

amorask-bitwarden approved these changes Apr 29, 2026

View reviewed changes

Merge branch 'main' into ac/pm-35253/add-useinvitelinks-organization-…

a8a8c26

…ability

r-tome merged commit 52d9a9c into main Apr 30, 2026
47 of 48 checks passed

r-tome deleted the ac/pm-35253/add-useinvitelinks-organization-ability branch April 30, 2026 09:13

claude Bot mentioned this pull request Apr 30, 2026

[PM-34387] Add organization invite link creation endpoint #7477

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[PM-35253] Add organization ability UseInviteLinks#7489

[PM-35253] Add organization ability UseInviteLinks#7489
r-tome merged 21 commits intomainfrom
ac/pm-35253/add-useinvitelinks-organization-ability

r-tome commented Apr 17, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 17, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 17, 2026 •

edited

Loading

Uh oh!

codecov Bot commented Apr 17, 2026 •

edited

Loading

Uh oh!

mkincaid-bw Apr 17, 2026

Uh oh!

r-tome Apr 21, 2026

Uh oh!

mkincaid-bw left a comment

Uh oh!

mkincaid-bw Apr 21, 2026

Uh oh!

sonarqubecloud Bot commented Apr 30, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

r-tome commented Apr 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🎟️ Tracking

📔 Objective

Uh oh!

github-actions Bot commented Apr 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🤖 Bitwarden Claude Code Review

Uh oh!

github-actions Bot commented Apr 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov Bot commented Apr 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

mkincaid-bw Apr 17, 2026

Choose a reason for hiding this comment

Uh oh!

r-tome Apr 21, 2026

Choose a reason for hiding this comment

Uh oh!

mkincaid-bw left a comment

Choose a reason for hiding this comment

Uh oh!

mkincaid-bw Apr 21, 2026

Choose a reason for hiding this comment

Uh oh!

sonarqubecloud Bot commented Apr 30, 2026

Quality Gate passed

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

r-tome commented Apr 17, 2026 •

edited

Loading

github-actions Bot commented Apr 17, 2026 •

edited

Loading

github-actions Bot commented Apr 17, 2026 •

edited

Loading

codecov Bot commented Apr 17, 2026 •

edited

Loading