From e4d08836e2ccc8bd4f1b926f306aa881f26a33d8 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Thu, 9 Apr 2020 01:51:05 -0700 Subject: [PATCH] Make org owner invitations respect the email domain whitelist This closes a loophole where org owners can invite new users from any domain. --- src/api/core/organizations.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 5c11b265..cdbaebd0 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -485,7 +485,11 @@ fn send_invite(org_id: String, data: JsonUpcase, headers: AdminHeade let user = match User::find_by_mail(&email, &conn) { None => { if !CONFIG.invitations_allowed() { - err!(format!("User email does not exist: {}", email)) + err!(format!("User does not exist: {}", email)) + } + + if !CONFIG.signups_domains_whitelist().is_empty() && !CONFIG.is_email_domain_whitelisted(&email) { + err!("Email domain not eligible for invitations") } if !CONFIG.mail_enabled() { @@ -978,4 +982,4 @@ fn put_policy(org_id: String, pol_type: i32, data: Json, _headers: A policy.save(&conn)?; Ok(Json(policy.to_json())) -} \ No newline at end of file +}