feature: Support single organization policy

This adds back-end support for the [single organization policy](https://bitwarden.com/help/article/policies/#single-organization).
2025-09-10 18:55:57 +03:00 · 2021-09-24 17:55:49 +02:00
parent 9930a0d752
commit d014eede9a
11 changed files with 97 additions and 13 deletions
--- a/src/db/models/org_policy.rs
+++ b/src/db/models/org_policy.rs
@@ -27,7 +27,7 @@ pub enum OrgPolicyType {
    TwoFactorAuthentication = 0,
    MasterPassword = 1,
    PasswordGenerator = 2,
-    // SingleOrg = 3, // Not currently supported.
+    SingleOrg = 3,
    // RequireSso = 4, // Not currently supported.
    PersonalOwnership = 5,
    DisableSend = 6,
@@ -143,7 +143,7 @@ impl OrgPolicy {
        }}
    }

-    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
+    pub fn find_confirmed_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        db_run! { conn: {
            org_policies::table
                .inner_join(
@@ -184,8 +184,8 @@ impl OrgPolicy {
    /// and the user is not an owner or admin of that org. This is only useful for checking
    /// applicability of policy types that have these particular semantics.
    pub fn is_applicable_to_user(user_uuid: &str, policy_type: OrgPolicyType, conn: &DbConn) -> bool {
-        // Returns confirmed users only.
-        for policy in OrgPolicy::find_by_user(user_uuid, conn) {
+        // TODO: Should check confirmed and accepted users
+        for policy in OrgPolicy::find_confirmed_by_user(user_uuid, conn) {
            if policy.enabled && policy.has_type(policy_type) {
                let org_uuid = &policy.org_uuid;
                if let Some(user) = UserOrganization::find_by_user_and_org(user_uuid, org_uuid, conn) {
@@ -201,8 +201,7 @@ impl OrgPolicy {
    /// Returns true if the user belongs to an org that has enabled the `DisableHideEmail`
    /// option of the `Send Options` policy, and the user is not an owner or admin of that org.
    pub fn is_hide_email_disabled(user_uuid: &str, conn: &DbConn) -> bool {
-        // Returns confirmed users only.
-        for policy in OrgPolicy::find_by_user(user_uuid, conn) {
+        for policy in OrgPolicy::find_confirmed_by_user(user_uuid, conn) {
            if policy.enabled && policy.has_type(OrgPolicyType::SendOptions) {
                let org_uuid = &policy.org_uuid;
                if let Some(user) = UserOrganization::find_by_user_and_org(user_uuid, org_uuid, conn) {
--- a/src/db/models/organization.rs
+++ b/src/db/models/organization.rs
@@ -477,7 +477,7 @@ impl UserOrganization {
        }}
    }

-    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
+    pub fn find_confirmed_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        db_run! { conn: {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -185,7 +185,7 @@ use crate::error::MapResult;
 /// Database methods
 impl User {
    pub fn to_json(&self, conn: &DbConn) -> Value {
-        let orgs = UserOrganization::find_by_user(&self.uuid, conn);
+        let orgs = UserOrganization::find_confirmed_by_user(&self.uuid, conn);
        let orgs_json: Vec<Value> = orgs.iter().map(|c| c.to_json(conn)).collect();
        let twofactor_enabled = !TwoFactor::find_by_user(&self.uuid, conn).is_empty();

@@ -256,7 +256,7 @@ impl User {
    }

    pub fn delete(self, conn: &DbConn) -> EmptyResult {
-        for user_org in UserOrganization::find_by_user(&self.uuid, conn) {
+        for user_org in UserOrganization::find_confirmed_by_user(&self.uuid, conn) {
            if user_org.atype == UserOrgType::Owner {
                let owner_type = UserOrgType::Owner as i32;
                if UserOrganization::find_by_org_and_type(&user_org.org_uuid, owner_type, conn).len() <= 1 {