[PM-24759] Add Method for Retrieving Policy Requirements for Multiple Users

[sven-bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-24759

📔 Objective

Following existing patterns, we want to expose a GetAsync method in the query class that supports single and collection parameters. This PR opens PolicyRequirementQuery's ability to load requirements given a list of user IDs.

We're also now delegating requests for single users to this collection-based request, unifying logic across both methods.

Tested by validating the MasterPasswordPolicyRequirement was enforced against a user upon login.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 0d228a03-8f98-4590-a788-a52c4aca1d7d

New Issues (1)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2025-13465	Npm-lodash-4.17.21	details Description: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetand _.omitfunctions. An attacker can pass crafted paths w... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.07%. Comparing base (ad19efc) to head (b36f775).
⚠️ Report is 24 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6876      +/-   ##
==========================================
- Coverage   59.91%   56.07%   -3.84%     
==========================================
  Files        1966     1968       +2     
  Lines       86898    86975      +77     
  Branches     7743     7749       +6     
==========================================
- Hits        52067    48774    -3293     
- Misses      32948    36395    +3447     
+ Partials     1883     1806      -77     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude finished @sven-bitwarden's task in 1m 43s —— View job

---

Code Review: PM-24759 Add Method for Retrieving Policy Requirements for Multiple Users

Reviewed commit: b36f775 (Refactor return type to include user ID)

Summary

This PR adds a collection-based GetAsync<T>(IEnumerable<Guid> userIds) method to IPolicyRequirementQuery, enabling efficient retrieval of policy requirements for multiple users in a single database call. The existing single-user method now delegates to this new implementation.

Re-Review Notes

Commit b36f775 addresses the feedback from the previous discussion about including user IDs in the return type. The return type has been changed from IEnumerable<T> to IEnumerable<(Guid UserId, T Requirement)>, allowing callers to directly match requirements to their corresponding users without relying on positional ordering.

Findings

Severity	Count
Critical	0
Important	0
Suggested	0

What I Reviewed

• Security: No concerns. Read-only query code with no sensitive data exposure.
• Correctness: Implementation is sound:
  • Properly materializes userIds.ToList() to avoid multiple enumeration
  • ToLookup gracefully handles users with no policies (returns empty grouping)
  • Output correctly pairs each user ID with their corresponding requirement
  • Use of .Single() in the single-user overload is appropriate
• Breaking Changes: None - this is an additive interface change. The method is new in this PR.
• Performance: Efficient design with single database call and O(n) grouping.
• Test Coverage: Comprehensive tests verify both the user ID and requirement are correctly returned for each user.

Verdict

✅ Approved - Clean implementation that addresses the feedback about return type usability. The tuple return type makes it straightforward for callers to match requirements to users.