From 1d26105e845abd4933fb0607b915ee48e2684d9b Mon Sep 17 00:00:00 2001
From: GareArc <garethcxy@dify.ai>
Date: Fri, 13 Feb 2026 23:01:17 -0800
Subject: [PATCH] fix: include sso_verified in access_mode validation

When duplicating apps, the access_mode is inherited from the original app.
If the original app has access_mode='sso_verified', the validation would
fail because update_app_access_mode only accepted public/private/private_all.

This adds 'sso_verified' to the allowed values to match the WebAppSettings
model documentation and prevent duplication errors.
---
 api/services/enterprise/enterprise_service.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/services/enterprise/enterprise_service.py b/api/services/enterprise/enterprise_service.py
index a5133dfcb4..00e93449e9 100644
--- a/api/services/enterprise/enterprise_service.py
+++ b/api/services/enterprise/enterprise_service.py
@@ -123,8 +123,8 @@ class EnterpriseService:
         def update_app_access_mode(cls, app_id: str, access_mode: str):
             if not app_id:
                 raise ValueError("app_id must be provided.")
-            if access_mode not in ["public", "private", "private_all"]:
-                raise ValueError("access_mode must be either 'public', 'private', or 'private_all'")
+            if access_mode not in ["public", "private", "private_all", "sso_verified"]:
+                raise ValueError("access_mode must be either 'public', 'private', 'private_all', or 'sso_verified'")
 
             data = {"appId": app_id, "accessMode": access_mode}