Merge pull request #957 from jjlin/domain-whitelist

Domain whitelist cleanup and fixes
2025-09-11 03:05:58 +03:00 · 2020-04-18 12:08:48 +02:00
parent e3b00b59a7 86685c1cd2
commit 0de52c6c99
3 changed files with 40 additions and 15 deletions
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -68,7 +68,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
    let mut user = match User::find_by_mail(&data.Email, &conn) {
        Some(user) => {
            if !user.password_hash.is_empty() {
-                if CONFIG.signups_allowed() {
+                if CONFIG.is_signup_allowed(&data.Email) {
                    err!("User already exists")
                } else {
                    err!("Registration not allowed or user already exists")
@@ -89,14 +89,17 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
                }

                user
-            } else if CONFIG.signups_allowed() {
+            } else if CONFIG.is_signup_allowed(&data.Email) {
                err!("Account with this email already exists")
            } else {
                err!("Registration not allowed or user already exists")
            }
        }
        None => {
-            if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) || CONFIG.can_signup_user(&data.Email) {
+            // Order is important here; the invitation check must come first
+            // because the bitwarden_rs admin can invite anyone, regardless
+            // of other signup restrictions.
+            if Invitation::take(&data.Email, &conn) || CONFIG.is_signup_allowed(&data.Email) {
                User::new(data.Email.clone())
            } else {
                err!("Registration not allowed or user already exists")
@@ -371,7 +374,7 @@ fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: Db
        err!("Email already in use");
    }

-    if !CONFIG.signups_allowed() && !CONFIG.can_signup_user(&data.NewEmail) {
+    if !CONFIG.is_signup_allowed(&data.NewEmail) {
        err!("Email cannot be changed to this address");
    }

--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -485,7 +485,11 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
        let user = match User::find_by_mail(&email, &conn) {
            None => {
                if !CONFIG.invitations_allowed() {
-                    err!(format!("User email does not exist: {}", email))
+                    err!(format!("User does not exist: {}", email))
+                }
+
+                if !CONFIG.signups_domains_whitelist().is_empty() && !CONFIG.is_email_domain_whitelisted(&email) {
+                    err!("Email domain not eligible for invitations")
                }

                if !CONFIG.mail_enabled() {
@@ -978,4 +982,4 @@ fn put_policy(org_id: String, pol_type: i32, data: Json<PolicyData>, _headers: A
    policy.save(&conn)?;

    Ok(Json(policy.to_json()))
-}
+}