Spiegel von
https://github.com/dani-garcia/vaultwarden.git
synchronisiert 2025-02-07 11:17:02 +01:00
Prevent accepting another user invitation
Dieser Commit ist enthalten in:
Timshel
Ursprung
0b556b21b0
Commit
ae1c17aacf
1 geänderte Dateien mit 38 neuen und 37 gelöschten Zeilen
|
|
@ -1157,11 +1157,13 @@ async fn accept_invite(
|
||||||
org_id: OrganizationId,
|
org_id: OrganizationId,
|
||||||
member_id: MembershipId,
|
member_id: MembershipId,
|
||||||
data: Json<AcceptData>,
|
data: Json<AcceptData>,
|
||||||
|
headers: Headers,
|
||||||
mut conn: DbConn,
|
mut conn: DbConn,
|
||||||
) -> EmptyResult {
|
) -> EmptyResult {
|
||||||
// The web-vault passes org_id and member_id in the URL, but we are just reading them from the JWT instead
|
// The web-vault passes org_id and member_id in the URL, but we are just reading them from the JWT instead
|
||||||
let data: AcceptData = data.into_inner();
|
let data: AcceptData = data.into_inner();
|
||||||
let claims = decode_invite(&data.token)?;
|
let claims = decode_invite(&data.token)?;
|
||||||
|
let user = headers.user;
|
||||||
|
|
||||||
// If a claim does not have a member_id or it does not match the one in from the URI, something is wrong.
|
// If a claim does not have a member_id or it does not match the one in from the URI, something is wrong.
|
||||||
match &claims.member_id {
|
match &claims.member_id {
|
||||||
|
|
@ -1169,52 +1171,51 @@ async fn accept_invite(
|
||||||
_ => err!("Error accepting the invitation", "Claim does not match the member_id"),
|
_ => err!("Error accepting the invitation", "Claim does not match the member_id"),
|
||||||
}
|
}
|
||||||
|
|
||||||
match User::find_by_mail(&claims.email, &mut conn).await {
|
if user.email != claims.email {
|
||||||
Some(user) => {
|
err!("Invitation claim does not match the user")
|
||||||
Invitation::take(&claims.email, &mut conn).await;
|
}
|
||||||
|
|
||||||
if let (Some(member), Some(org)) = (&claims.member_id, &claims.org_id) {
|
Invitation::take(&claims.email, &mut conn).await;
|
||||||
let Some(mut member) = Membership::find_by_uuid_and_org(member, org, &mut conn).await else {
|
|
||||||
err!("Error accepting the invitation")
|
|
||||||
};
|
|
||||||
|
|
||||||
if member.status != MembershipStatus::Invited as i32 {
|
if let (Some(member), Some(org)) = (&claims.member_id, &claims.org_id) {
|
||||||
err!("User already accepted the invitation")
|
let Some(mut member) = Membership::find_by_uuid_and_org(member, org, &mut conn).await else {
|
||||||
}
|
err!("Error accepting the invitation")
|
||||||
|
};
|
||||||
|
|
||||||
let master_password_required = OrgPolicy::org_is_reset_password_auto_enroll(org, &mut conn).await;
|
if member.status != MembershipStatus::Invited as i32 {
|
||||||
if data.reset_password_key.is_none() && master_password_required {
|
err!("User already accepted the invitation")
|
||||||
err!("Reset password key is required, but not provided.");
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
|
let master_password_required = OrgPolicy::org_is_reset_password_auto_enroll(org, &mut conn).await;
|
||||||
// It returns different error messages per function.
|
if data.reset_password_key.is_none() && master_password_required {
|
||||||
if member.atype < MembershipType::Admin {
|
err!("Reset password key is required, but not provided.");
|
||||||
match OrgPolicy::is_user_allowed(&member.user_uuid, &org_id, false, &mut conn).await {
|
}
|
||||||
Ok(_) => {}
|
|
||||||
Err(OrgPolicyErr::TwoFactorMissing) => {
|
// This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
|
||||||
if CONFIG.email_2fa_auto_fallback() {
|
// It returns different error messages per function.
|
||||||
two_factor::email::activate_email_2fa(&user, &mut conn).await?;
|
if member.atype < MembershipType::Admin {
|
||||||
} else {
|
match OrgPolicy::is_user_allowed(&member.user_uuid, &org_id, false, &mut conn).await {
|
||||||
err!("You cannot join this organization until you enable two-step login on your user account");
|
Ok(_) => {}
|
||||||
}
|
Err(OrgPolicyErr::TwoFactorMissing) => {
|
||||||
}
|
if CONFIG.email_2fa_auto_fallback() {
|
||||||
Err(OrgPolicyErr::SingleOrgEnforced) => {
|
two_factor::email::activate_email_2fa(&user, &mut conn).await?;
|
||||||
err!("You cannot join this organization because you are a member of an organization which forbids it");
|
} else {
|
||||||
}
|
err!("You cannot join this organization until you enable two-step login on your user account");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Err(OrgPolicyErr::SingleOrgEnforced) => {
|
||||||
member.status = MembershipStatus::Accepted as i32;
|
err!("You cannot join this organization because you are a member of an organization which forbids it");
|
||||||
|
|
||||||
if master_password_required {
|
|
||||||
member.reset_password_key = data.reset_password_key;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
member.save(&mut conn).await?;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
None => err!("Invited user not found"),
|
|
||||||
|
member.status = MembershipStatus::Accepted as i32;
|
||||||
|
|
||||||
|
if master_password_required {
|
||||||
|
member.reset_password_key = data.reset_password_key;
|
||||||
|
}
|
||||||
|
|
||||||
|
member.save(&mut conn).await?;
|
||||||
}
|
}
|
||||||
|
|
||||||
if CONFIG.mail_enabled() {
|
if CONFIG.mail_enabled() {
|
||||||
|
|
|
||||||
Laden …
Tabelle hinzufügen
In neuem Issue referenzieren