topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

don't auto-enable signups via allowed domains list 

NOTE this is a breaking change that requires admin intervention to set
`SIGNUPS_ALLOWED=true` if you want users with a domain in the allow list
to signup.
pull/7287/head
stefan0xC 2 weeks ago
parent
d626ea81ab
commit
21eafd0dde
No known key found for this signature in database GPG Key ID: 817020C608FE9C09
2 changed files with 8 additions and 13 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      .env.template
  2. 15
      src/config.rs

6
.env.template
View File

@ -269,8 +269,10 @@
## email will be re-sent upon an attempted login.
# SIGNUPS_VERIFY_RESEND_LIMIT=6
## Controls if new users from a list of comma-separated domains can register
## even if SIGNUPS_ALLOWED is set to false
## Restrict email addresses to this list of comma-separated domains
## This allow list affects signups, invitations and email address changes.
## By default this allow list is empty, meaning no restrictions apply.
## NOTE: You can circumvent this restriction if you invite someone via the `/admin` panel.
# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
## Controls whether event logging is enabled for organizations

15
src/config.rs
View File

@ -623,7 +623,7 @@ make_config! {
signups_verify_resend_time: u64, true, def, 3_600;
/// If signups require email verification, limit how many emails are automatically sent when login is attempted (0 means no limit)
signups_verify_resend_limit: u32, true, def, 6;
/// Email domain whitelist |> Allow signups only from this list of comma-separated domains, even when signups are otherwise disabled
/// Email domain whitelist |> Restrict email addresses to this list of comma-separated domains
signups_domains_whitelist: String, true, def, String::new();
/// Enable event logging |> Enables event logging for organizations.
org_events_enabled: bool, false, def, false;
@ -1507,21 +1507,14 @@ impl Config {
/// Tests whether signup is allowed for an email address, taking into
/// account the signups_allowed and signups_domains_whitelist settings.
pub fn is_signup_allowed(&self, email: &str) -> bool {
if self.signups_domains_whitelist().is_empty() {
self.signups_allowed()
} else {
// The whitelist setting overrides the signups_allowed setting.
self.is_email_domain_allowed(email)
}
self.signups_allowed() && self.is_email_domain_allowed(email)
}
// The registration link should be hidden if
// - Signup is not allowed and email whitelist is empty unless mail is disabled and invitations are allowed
// - Signup is not allowed unless mail is disabled and invitations are allowed
// - The SSO is activated and password login is disabled.
pub fn is_signup_disabled(&self) -> bool {
(!self.signups_allowed()
&& self.signups_domains_whitelist().is_empty()
&& (self.mail_enabled() || !self.invitations_allowed()))
(!self.signups_allowed() && (self.mail_enabled() || !self.invitations_allowed()))
|| (self.sso_enabled() && self.sso_only())
}

Write Preview
Loading…
Cancel
Save