From 0a72c4b6db4e254d7579b8dc3bb6e9e3c067947d Mon Sep 17 00:00:00 2001 From: Miroslav Prasil Date: Sun, 16 Feb 2020 15:01:07 +0000 Subject: [PATCH 1/2] Do not disable invitations via admin API This was brought up today: https://github.com/dani-garcia/bitwarden_rs/issues/752#issuecomment-586715073 I don't think it makes much sense in checking whether admin has the right to send invitation as admin can change the setting anyway. Removing the condition allows users to forbid regular users from inviting new users to server while still preserving the option to do so via the admin API. --- src/api/admin.rs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/api/admin.rs b/src/api/admin.rs index b3cda21d..c4fad117 100644 --- a/src/api/admin.rs +++ b/src/api/admin.rs @@ -153,10 +153,6 @@ fn invite_user(data: Json, _token: AdminToken, conn: DbConn) -> Empt err!("User already exists") } - if !CONFIG.invitations_allowed() { - err!("Invitations are not allowed") - } - let mut user = User::new(email); user.save(&conn)?; From 03233429f4475de558c58707224d1cf72aa28c42 Mon Sep 17 00:00:00 2001 From: Miro Prasil Date: Sun, 16 Feb 2020 20:28:50 +0000 Subject: [PATCH 2/2] Remove check from Invitation:take() I've checked the spots when `Invitation::new()` and `Invitation::take()` are used and it seems like all spots are already correctly gated. So to enable invitations via admin API even when invitations are otherwise disabled, this check can be removed. --- src/db/models/user.rs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/db/models/user.rs b/src/db/models/user.rs index 9646ae58..3a6e95d2 100644 --- a/src/db/models/user.rs +++ b/src/db/models/user.rs @@ -319,10 +319,9 @@ impl Invitation { } pub fn take(mail: &str, conn: &DbConn) -> bool { - CONFIG.invitations_allowed() - && match Self::find_by_mail(mail, &conn) { - Some(invitation) => invitation.delete(&conn).is_ok(), - None => false, - } + match Self::find_by_mail(mail, &conn) { + Some(invitation) => invitation.delete(&conn).is_ok(), + None => false, + } } }