From a984dbbdf3d158323dec798b0becedc3f58f6d42 Mon Sep 17 00:00:00 2001 From: Adam Jones Date: Sat, 9 Oct 2021 13:54:30 +0100 Subject: [PATCH 1/2] 2FA org policy: do not enforce on invited (not accepted) users --- src/api/core/organizations.rs | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 99e68234..4348de88 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -1230,20 +1230,22 @@ fn put_policy( None => err!("Invalid policy type"), }; + // If enabling the TwoFactorAuthentication policy, remove this org's members that do have 2FA if pol_type_enum == OrgPolicyType::TwoFactorAuthentication && data.enabled { - let org_list = UserOrganization::find_by_org(&org_id, &conn); + let org_members = UserOrganization::find_by_org(&org_id, &conn); - for user_org in org_list.into_iter() { - let user_twofactor_disabled = TwoFactor::find_by_user(&user_org.user_uuid, &conn).is_empty(); + for member in org_members.into_iter() { + let user_twofactor_disabled = TwoFactor::find_by_user(&member.user_uuid, &conn).is_empty(); - if user_twofactor_disabled && user_org.atype < UserOrgType::Admin { + // Policy only applies to non-Owner/non-Admin members who have accepted joining the org + if user_twofactor_disabled && member.atype < UserOrgType::Admin && member.status != UserOrgStatus::Invited as i32 { if CONFIG.mail_enabled() { - let org = Organization::find_by_uuid(&user_org.org_uuid, &conn).unwrap(); - let user = User::find_by_uuid(&user_org.user_uuid, &conn).unwrap(); + let org = Organization::find_by_uuid(&member.org_uuid, &conn).unwrap(); + let user = User::find_by_uuid(&member.user_uuid, &conn).unwrap(); mail::send_2fa_removed_from_org(&user.email, &org.name)?; } - user_org.delete(&conn)?; + member.delete(&conn)?; } } } From 4cebe1fff457515c4e35790b3637c1112fc5a390 Mon Sep 17 00:00:00 2001 From: Adam Jones Date: Sat, 9 Oct 2021 15:42:06 +0100 Subject: [PATCH 2/2] cargo fmt --- src/api/core/organizations.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 4348de88..00f2ef71 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -1238,7 +1238,10 @@ fn put_policy( let user_twofactor_disabled = TwoFactor::find_by_user(&member.user_uuid, &conn).is_empty(); // Policy only applies to non-Owner/non-Admin members who have accepted joining the org - if user_twofactor_disabled && member.atype < UserOrgType::Admin && member.status != UserOrgStatus::Invited as i32 { + if user_twofactor_disabled + && member.atype < UserOrgType::Admin + && member.status != UserOrgStatus::Invited as i32 + { if CONFIG.mail_enabled() { let org = Organization::find_by_uuid(&member.org_uuid, &conn).unwrap(); let user = User::find_by_uuid(&member.user_uuid, &conn).unwrap();