Fix around singleorg policy (#6247)

Co-authored-by: Timshel <timshel@users.noreply.github.com>

src/api/core/mod.rs

@@ -53,7 +53,7 @@ use crate::{
     api::{EmptyResult, JsonResult, Notify, UpdateType},
     auth::Headers,
     db::{
-        models::{Membership, MembershipStatus, MembershipType, OrgPolicy, OrgPolicyErr, Organization, User},
+        models::{Membership, MembershipStatus, OrgPolicy, Organization, User},
         DbConn,
     },
     error::Error,
@@ -269,27 +269,12 @@ async fn accept_org_invite(
         err!("User already accepted the invitation");
     }
 
-    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
-    // It returns different error messages per function.
-    if member.atype < MembershipType::Admin {
-        match OrgPolicy::is_user_allowed(&member.user_uuid, &member.org_uuid, false, conn).await {
-            Ok(_) => {}
-            Err(OrgPolicyErr::TwoFactorMissing) => {
-                if crate::CONFIG.email_2fa_auto_fallback() {
-                    two_factor::email::activate_email_2fa(user, conn).await?;
-                } else {
-                    err!("You cannot join this organization until you enable two-step login on your user account");
-                }
-            }
-            Err(OrgPolicyErr::SingleOrgEnforced) => {
-                err!("You cannot join this organization because you are a member of an organization which forbids it");
-            }
-        }
-    }
-
     member.status = MembershipStatus::Accepted as i32;
     member.reset_password_key = reset_password_key;
 
+    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
+    OrgPolicy::check_user_allowed(&member, "join", conn).await?;
+
     member.save(conn).await?;
 
     if crate::CONFIG.mail_enabled() {