bitwarden · AlexRubik · May 19, 2026 · May 19, 2026 · May 19, 2026 · May 20, 2026
@@ -141,19 +141,18 @@ public async Task<IActionResult> GetLatestOrganizationReportAsync(Guid organizat
 
         await AuthorizeAsync(organizationId);
 
-        var latestReport = await _getOrganizationReportQuery.GetLatestOrganizationReportAsync(organizationId);
+        var isAccessIntelligenceV2 = _featureService.IsEnabled(FeatureFlagKeys.AccessIntelligenceVersion2);
 
-        if (latestReport == null)
-        {
-            throw new NotFoundException();
-        }
+        var latestReport = isAccessIntelligenceV2
+            ? await _getOrganizationReportQuery.ReadLatestOrganizationReportAsync(organizationId)
+            : await _getOrganizationReportQuery.GetLatestOrganizationReportAsync(organizationId);
 
         var response = new OrganizationReportResponseModel(latestReport);
 
-        if (_featureService.IsEnabled(FeatureFlagKeys.AccessIntelligenceVersion2))
+        if (isAccessIntelligenceV2)
         {
             var fileData = latestReport.GetReportFile();
-            if (fileData is { Validated: true })
+            if (fileData != null)
             {
                 response.ReportFileDownloadUrl = await _storageService.GetReportDataDownloadUrlAsync(latestReport, fileData);
                 response.FileUploadType = _storageService.FileUploadType;
@@ -393,7 +392,7 @@ public async Task UploadReportFileAsync(Guid organizationId, Guid reportId, [Fro
         }
 
         var fileData = report.GetReportFile();
-        if (fileData == null || fileData.Id != reportFileId)
+        if (fileData == null || fileData.Id != reportFileId || fileData.Validated)
         {
             throw new NotFoundException();
         }
@@ -449,6 +448,11 @@ public async Task<IActionResult> DownloadReportFileAsync(Guid organizationId, Gu
             throw new NotFoundException();
         }
 
+        if (_featureService.IsEnabled(FeatureFlagKeys.AccessIntelligenceVersion2) && !fileData.Validated)
+        {
+            throw new NotFoundException();
+        }
+
         var stream = await _storageService.GetReportReadStreamAsync(report, fileData);
         if (stream == null)
         {

@@ -32,6 +32,21 @@ public async Task<OrganizationReport> GetLatestOrganizationReportAsync(Guid orga
         return result;
     }
 
+    public async Task<OrganizationReport> ReadLatestOrganizationReportAsync(Guid organizationId)
+    {
+        _logger.LogInformation(Constants.BypassFiltersEventId,
+            "Reading latest validated-file organization report for organization {organizationId}",
+            organizationId);
+        var result = await _organizationReportRepo.ReadLatestByOrganizationIdAsync(organizationId);
+
+        if (result == null)
+        {
+            throw new NotFoundException($"No validated report found for organization: {organizationId}");
+        }
+
+        return result;
+    }
+
     public async Task<OrganizationReport> GetOrganizationReportAsync(Guid reportId)
     {
         _logger.LogInformation(Constants.BypassFiltersEventId, "Fetching organization reports for organization by Id: {reportId}", reportId);

@@ -6,4 +6,5 @@ public interface IGetOrganizationReportQuery
 {
     Task<OrganizationReport> GetOrganizationReportAsync(Guid organizationId);
     Task<OrganizationReport> GetLatestOrganizationReportAsync(Guid organizationId);
+    Task<OrganizationReport> ReadLatestOrganizationReportAsync(Guid organizationId);
 }
@@ -9,6 +9,7 @@ public interface IOrganizationReportRepository : IRepository<OrganizationReport,
 {
     // Whole OrganizationReport methods
     Task<OrganizationReport> GetLatestByOrganizationIdAsync(Guid organizationId);
+    Task<OrganizationReport> ReadLatestByOrganizationIdAsync(Guid organizationId);
 
     // SummaryData methods
     Task<IEnumerable<OrganizationReportSummaryDataResponse>> GetSummaryDataByDateRangeAsync(Guid organizationId, DateTime startDate, DateTime endDate);

@@ -38,6 +38,19 @@ public async Task<OrganizationReport> GetLatestByOrganizationIdAsync(Guid organi
         }
     }
 
+    public async Task<OrganizationReport> ReadLatestByOrganizationIdAsync(Guid organizationId)
+    {
+        using (var connection = new SqlConnection(ReadOnlyConnectionString))
+        {
+            var result = await connection.QuerySingleOrDefaultAsync<OrganizationReport>(
+                $"[{Schema}].[OrganizationReport_ReadLatestByOrganizationId]",
+                new { OrganizationId = organizationId },
+                commandType: CommandType.StoredProcedure);
+
+            return result;
+        }
+    }
+
     public async Task<OrganizationReport> UpdateSummaryDataAsync(Guid organizationId, Guid reportId, string summaryData)
     {
         using (var connection = new SqlConnection(ConnectionString))

@@ -27,7 +27,31 @@ public async Task<OrganizationReport> GetLatestByOrganizationIdAsync(Guid organi
         {
             var dbContext = GetDatabaseContext(scope);
             var result = await dbContext.OrganizationReports
-                .Where(p => p.OrganizationId == organizationId)
+                .Where(p => p.OrganizationId == organizationId
+                    && p.ReportData != string.Empty)
+                .OrderByDescending(p => p.RevisionDate)
+                .Take(1)
+                .FirstOrDefaultAsync();
+
+            if (result == null) return default;
+
+            return Mapper.Map<OrganizationReport>(result);
+        }
+    }
+
+    public async Task<OrganizationReport> ReadLatestByOrganizationIdAsync(Guid organizationId)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            // Substring match is coupled to SetReportFile (OrganizationReport.cs) writing via
+            // JsonHelpers.IgnoreWritingNull (PascalCase, no whitespace). The Dapper/MSSQL path
+            // uses JSON_VALUE which is format-agnostic; changing the serializer options would
+            // silently return zero rows here without affecting the MSSQL path.
+            var result = await dbContext.OrganizationReports
+                .Where(p => p.OrganizationId == organizationId
+                    && p.ReportFile != null
+                    && p.ReportFile.Contains("\"Validated\":true"))
                 .OrderByDescending(p => p.RevisionDate)
                 .Take(1)
                 .FirstOrDefaultAsync();

@@ -6,7 +6,11 @@ BEGIN
 
     SELECT TOP 1
         *
-    FROM [dbo].[OrganizationReportView]
-    WHERE [OrganizationId] = @OrganizationId
-    ORDER BY [RevisionDate] DESC
+    FROM
+        [dbo].[OrganizationReportView]
+    WHERE
+        [OrganizationId] = @OrganizationId
+        AND [ReportData] <> ''
+    ORDER BY
+        [RevisionDate] DESC
 END
@@ -0,0 +1,16 @@
+CREATE PROCEDURE [dbo].[OrganizationReport_ReadLatestByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT TOP 1
+        *
+    FROM
+        [dbo].[OrganizationReportView]
+    WHERE
+        [OrganizationId] = @OrganizationId
+        AND JSON_VALUE([ReportFile], '$.Validated') = 'true'
+    ORDER BY
+        [RevisionDate] DESC
+END
@@ -15,6 +15,7 @@
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
@@ -48,7 +49,7 @@ public async Task GetLatestOrganizationReportAsync_WithValidatedFile_ReturnsOkWi
             .Returns(true);
 
         sutProvider.GetDependency<IGetOrganizationReportQuery>()
-            .GetLatestOrganizationReportAsync(orgId)
+            .ReadLatestOrganizationReportAsync(orgId)
             .Returns(expectedReport);
 
         sutProvider.GetDependency<IOrganizationReportStorageService>()
@@ -69,6 +70,77 @@ public async Task GetLatestOrganizationReportAsync_WithValidatedFile_ReturnsOkWi
         Assert.Equal(FileUploadType.Azure, response.FileUploadType);
     }
 
+    [Theory, BitAutoData]
+    public async Task GetLatestOrganizationReportAsync_FlagOn_CallsReadLatest(
+        SutProvider<OrganizationReportsController> sutProvider,
+        Guid orgId,
+        OrganizationReport expectedReport)
+    {
+        // Arrange
+        expectedReport.OrganizationId = orgId;
+        var reportFile = new ReportFile { Id = "file-id", FileName = "report.json", Size = 1024, Validated = true };
+        expectedReport.SetReportFile(reportFile);
+
+        SetupAuthorization(sutProvider, orgId);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccessIntelligenceVersion2)
+            .Returns(true);
+
+        sutProvider.GetDependency<IGetOrganizationReportQuery>()
+            .ReadLatestOrganizationReportAsync(orgId)
+            .Returns(expectedReport);
+
+        sutProvider.GetDependency<IOrganizationReportStorageService>()
+            .GetReportDataDownloadUrlAsync(expectedReport, Arg.Any<ReportFile>())
+            .Returns("https://download-url");
+
+        // Act
+        var result = await sutProvider.Sut.GetLatestOrganizationReportAsync(orgId);
+
+        // Assert
+        Assert.IsType<OkObjectResult>(result);
+        await sutProvider.GetDependency<IGetOrganizationReportQuery>()
+            .Received(1)
+            .ReadLatestOrganizationReportAsync(orgId);
+        await sutProvider.GetDependency<IGetOrganizationReportQuery>()
+            .DidNotReceive()
+            .GetLatestOrganizationReportAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetLatestOrganizationReportAsync_FlagOff_CallsGetLatest(
+        SutProvider<OrganizationReportsController> sutProvider,
+        Guid orgId,
+        OrganizationReport expectedReport)
+    {
+        // Arrange
+        expectedReport.OrganizationId = orgId;
+        expectedReport.ReportFile = null;
+
+        SetupAuthorization(sutProvider, orgId);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccessIntelligenceVersion2)
+            .Returns(false);
+
+        sutProvider.GetDependency<IGetOrganizationReportQuery>()
+            .GetLatestOrganizationReportAsync(orgId)
+            .Returns(expectedReport);
+
+        // Act
+        var result = await sutProvider.Sut.GetLatestOrganizationReportAsync(orgId);
+
+        // Assert
+        Assert.IsType<OkObjectResult>(result);
+        await sutProvider.GetDependency<IGetOrganizationReportQuery>()
+            .Received(1)
+            .GetLatestOrganizationReportAsync(orgId);
+        await sutProvider.GetDependency<IGetOrganizationReportQuery>()
+            .DidNotReceive()
+            .ReadLatestOrganizationReportAsync(Arg.Any<Guid>());
+    }
+
     [Theory, BitAutoData]
     public async Task GetLatestOrganizationReportAsync_WithNoFile_ReturnsOkWithNullDownloadUrl(
         SutProvider<OrganizationReportsController> sutProvider,
@@ -1401,6 +1473,125 @@ await sutProvider.GetDependency<ICreateOrganizationReportCommand>()
             .CreateAsync(Arg.Any<AddOrganizationReportRequest>());
     }
 
+    // DownloadReportFileAsync - validated file enforcement
+
+    [Theory, BitAutoData]
+    public async Task DownloadReportFileAsync_FlagOn_UnvalidatedFile_ThrowsNotFoundException(
+        SutProvider<OrganizationReportsController> sutProvider,
+        Guid orgId,
+        OrganizationReport report)
+    {
+        // Arrange
+        report.OrganizationId = orgId;
+        var fileData = new ReportFile { Id = "file-id", FileName = "report.json", Size = 1024, Validated = false };
+        report.SetReportFile(fileData);
+
+        SetupV2Authorization(sutProvider, orgId);
+
+        sutProvider.GetDependency<IGetOrganizationReportQuery>()
+            .GetOrganizationReportAsync(report.Id)
+            .Returns(report);
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.DownloadReportFileAsync(orgId, report.Id));
+
+        await sutProvider.GetDependency<IOrganizationReportStorageService>()
+            .DidNotReceive()
+            .GetReportReadStreamAsync(Arg.Any<OrganizationReport>(), Arg.Any<ReportFile>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task DownloadReportFileAsync_FlagOn_ValidatedFile_ReturnsFile(
+        SutProvider<OrganizationReportsController> sutProvider,
+        Guid orgId,
+        OrganizationReport report)
+    {
+        // Arrange
+        report.OrganizationId = orgId;
+        var fileData = new ReportFile { Id = "file-id", FileName = "report.json", Size = 1024, Validated = true };
+        report.SetReportFile(fileData);
+
+        SetupV2Authorization(sutProvider, orgId);
+
+        sutProvider.GetDependency<IGetOrganizationReportQuery>()
+            .GetOrganizationReportAsync(report.Id)
+            .Returns(report);
+
+        var stream = new MemoryStream(new byte[] { 1, 2, 3 });
+        sutProvider.GetDependency<IOrganizationReportStorageService>()
+            .GetReportReadStreamAsync(report, Arg.Any<ReportFile>())
+            .Returns(stream);
+
+        // Act
+        var result = await sutProvider.Sut.DownloadReportFileAsync(orgId, report.Id);
+
+        // Assert
+        var fileResult = Assert.IsType<FileStreamResult>(result);
+        Assert.Equal("application/octet-stream", fileResult.ContentType);
+    }
+
+    [Theory, BitAutoData]
+    public async Task DownloadReportFileAsync_FlagOff_UnvalidatedFile_ReturnsFile(
+        SutProvider<OrganizationReportsController> sutProvider,
+        Guid orgId,
+        OrganizationReport report)
+    {
+        // Arrange
+        report.OrganizationId = orgId;
+        var fileData = new ReportFile { Id = "file-id", FileName = "report.json", Size = 1024, Validated = false };
+        report.SetReportFile(fileData);
+
+        SetupAuthorization(sutProvider, orgId);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccessIntelligenceVersion2)
+            .Returns(false);
+
+        sutProvider.GetDependency<IGetOrganizationReportQuery>()
+            .GetOrganizationReportAsync(report.Id)
+            .Returns(report);
+
+        var stream = new MemoryStream(new byte[] { 1, 2, 3 });
+        sutProvider.GetDependency<IOrganizationReportStorageService>()
+            .GetReportReadStreamAsync(report, Arg.Any<ReportFile>())
+            .Returns(stream);
+
+        // Act
+        var result = await sutProvider.Sut.DownloadReportFileAsync(orgId, report.Id);
+
+        // Assert
+        Assert.IsType<FileStreamResult>(result);
+    }
+
+    // UploadReportFileAsync - re-upload guard
+
+    [Theory, BitAutoData]
+    public async Task UploadReportFileAsync_AlreadyValidated_ThrowsNotFoundException(
+        SutProvider<OrganizationReportsController> sutProvider,
+        Guid orgId,
+        OrganizationReport report)
+    {
+        // Arrange
+        report.OrganizationId = orgId;
+        var fileData = new ReportFile { Id = "file-id", FileName = "report.json", Size = 1024, Validated = true };
+        report.SetReportFile(fileData);
+
+        SetupV2Authorization(sutProvider, orgId);
+
+        sutProvider.GetDependency<IGetOrganizationReportQuery>()
+            .GetOrganizationReportAsync(report.Id)
+            .Returns(report);
+
+        var httpContext = new DefaultHttpContext();
+        httpContext.Request.ContentType = "multipart/form-data";
+        sutProvider.Sut.ControllerContext = new ControllerContext { HttpContext = httpContext };
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.UploadReportFileAsync(orgId, report.Id, "file-id"));
+    }
+
     // Helper methods for authorization mocks
 
     private static void SetupAuthorization(