From e9a7e8f77fbf7f6bbc38c64543823bcd9e783461 Mon Sep 17 00:00:00 2001
From: Xiyuan Chen <52963600+GareArc@users.noreply.github.com>
Date: Fri, 13 Feb 2026 23:40:37 -0800
Subject: [PATCH] fix: include sso_verified in access_mode validation (#32325)

---
 api/services/enterprise/enterprise_service.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/api/services/enterprise/enterprise_service.py b/api/services/enterprise/enterprise_service.py
index a5133dfcb4..9930c6bf7c 100644
--- a/api/services/enterprise/enterprise_service.py
+++ b/api/services/enterprise/enterprise_service.py
@@ -4,6 +4,8 @@ from pydantic import BaseModel, Field
 
 from services.enterprise.base import EnterpriseRequest
 
+ALLOWED_ACCESS_MODES = ["public", "private", "private_all", "sso_verified"]
+
 
 class WebAppSettings(BaseModel):
     access_mode: str = Field(
@@ -123,8 +125,8 @@ class EnterpriseService:
         def update_app_access_mode(cls, app_id: str, access_mode: str):
             if not app_id:
                 raise ValueError("app_id must be provided.")
-            if access_mode not in ["public", "private", "private_all"]:
-                raise ValueError("access_mode must be either 'public', 'private', or 'private_all'")
+            if access_mode not in ALLOWED_ACCESS_MODES:
+                raise ValueError(f"access_mode must be one of: {', '.join(ALLOWED_ACCESS_MODES)}")
 
             data = {"appId": app_id, "accessMode": access_mode}