From 8bf97e6ec755a43c1d6f4604f0bbed42ca450b5f Mon Sep 17 00:00:00 2001 From: Timshel Date: Tue, 16 Sep 2025 16:41:33 +0200 Subject: [PATCH] Review fixes --- src/api/admin.rs | 2 +- src/api/core/mod.rs | 2 +- src/api/core/organizations.rs | 8 ++++---- src/db/models/org_policy.rs | 15 ++++++++------- .../email/send_single_org_removed_from_org.hbs | 2 +- .../send_single_org_removed_from_org.html.hbs | 2 +- 6 files changed, 16 insertions(+), 15 deletions(-) diff --git a/src/api/admin.rs b/src/api/admin.rs index b6cbd7f1..a24d7324 100644 --- a/src/api/admin.rs +++ b/src/api/admin.rs @@ -546,7 +546,7 @@ async fn update_membership_type(data: Json, token: AdminToke member_to_edit.atype = new_type; // This check is also done at api::organizations::{accept_invite, _confirm_invite, _activate_member, edit_member}, update_membership_type - OrgPolicy::check_user_allowed(&member_to_edit, "modify", &mut conn).await?; + OrgPolicy::enforce_membership_policies(&member_to_edit, "change type of", &mut conn).await?; log_event( EventType::OrganizationUserUpdated as i32, diff --git a/src/api/core/mod.rs b/src/api/core/mod.rs index edb6fb10..7d0d4c12 100644 --- a/src/api/core/mod.rs +++ b/src/api/core/mod.rs @@ -275,7 +275,7 @@ async fn accept_org_invite( member.reset_password_key = reset_password_key; // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type - OrgPolicy::check_user_allowed(&member, "join", conn).await?; + OrgPolicy::enforce_membership_policies(&member, "accept invitation of", conn).await?; member.save(conn).await?; diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 8e15ed49..52674e7b 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -1470,7 +1470,7 @@ async fn _confirm_invite( member_to_confirm.akey = key.to_string(); // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type - OrgPolicy::check_user_allowed(&member_to_confirm, "confirm", conn).await?; + OrgPolicy::enforce_membership_policies(&member_to_confirm, "confirm", conn).await?; log_event( EventType::OrganizationUserConfirmed as i32, @@ -1630,7 +1630,7 @@ async fn edit_member( // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type // We need to perform the check after changing the type since `admin` is exempt. - OrgPolicy::check_user_allowed(&member_to_edit, "modify", &mut conn).await?; + OrgPolicy::enforce_membership_policies(&member_to_edit, "modify", &mut conn).await?; // Delete all the odd collections for c in CollectionUser::find_by_organization_and_user_uuid(&org_id, &member_to_edit.user_uuid, &mut conn).await { @@ -2132,7 +2132,7 @@ async fn put_policy( .await?; } - // When enabling the SingleOrg policy, remove this org's members that are members of other orgs + // When enabling the SingleOrg policy, revoke the memberships of users that are members of other organizations. if pol_type_enum == OrgPolicyType::SingleOrg && data.enabled { for mut member in Membership::find_by_org(&org_id, &mut conn).await.into_iter() { // Policy only applies to non-Owner/non-Admin members who have accepted joining the org @@ -2603,7 +2603,7 @@ async fn _restore_member( member.restore(); // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type // This check need to be done after restoring to work with the correct status - OrgPolicy::check_user_allowed(&member, "restore", conn).await?; + OrgPolicy::enforce_membership_policies(&member, "restore", conn).await?; member.save(conn).await?; log_event( diff --git a/src/db/models/org_policy.rs b/src/db/models/org_policy.rs index 31e9af1c..fe95cb01 100644 --- a/src/db/models/org_policy.rs +++ b/src/db/models/org_policy.rs @@ -279,7 +279,7 @@ impl OrgPolicy { false } - pub async fn check_user_allowed(m: &Membership, action: &str, conn: &mut DbConn) -> EmptyResult { + pub async fn enforce_membership_policies(m: &Membership, action: &str, conn: &mut DbConn) -> EmptyResult { if m.atype < MembershipType::Admin && m.status > (MembershipStatus::Invited as i32) { // Enforce TwoFactor/TwoStep login if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::TwoFactorAuthentication, conn).await @@ -288,24 +288,25 @@ impl OrgPolicy { if CONFIG.email_2fa_auto_fallback() { two_factor::email::find_and_activate_email_2fa(&m.user_uuid, conn).await?; } else { - err!(format!("Cannot {} because 2FA is required (membership {})", action, m.uuid)); + err!(format!("Cannot {} member {} because 2FA is required", action, m.uuid)); } } } // Check if the user is part of another Orgnization with SingleOrg activated if Self::is_applicable_to_user(&m.user_uuid, OrgPolicyType::SingleOrg, Some(&m.org_uuid), conn).await { - err!(format!( - "Cannot {} because another organization policy forbids it (membership {})", - action, m.uuid - )); + err!(format!("Cannot {} member {} because another organization policy forbids it", action, m.uuid)); } + // Check if the current org has `SingleOrg` activated that we are not part of another org. if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::SingleOrg, conn).await { if p.enabled && Membership::count_accepted_and_confirmed_by_user(&m.user_uuid, &m.org_uuid, conn).await > 0 { - err!(format!("Cannot {} because the organization policy forbids being part of other organization (membership {})", action, m.uuid)); + err!(format!( + "Cannot {} member {} because the organization policy forbids being part of other organization", + action, m.uuid + )); } } } diff --git a/src/static/templates/email/send_single_org_removed_from_org.hbs b/src/static/templates/email/send_single_org_removed_from_org.hbs index 16efcdd7..5fe93902 100644 --- a/src/static/templates/email/send_single_org_removed_from_org.hbs +++ b/src/static/templates/email/send_single_org_removed_from_org.hbs @@ -1,4 +1,4 @@ Your access to {{{org_name}}} has been revoked -Your acess to the *{{org_name}}* organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account. +Your access to the *{{org_name}}* organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account. {{> email/email_footer_text }} diff --git a/src/static/templates/email/send_single_org_removed_from_org.html.hbs b/src/static/templates/email/send_single_org_removed_from_org.html.hbs index 147476d2..39527f4e 100644 --- a/src/static/templates/email/send_single_org_removed_from_org.html.hbs +++ b/src/static/templates/email/send_single_org_removed_from_org.html.hbs @@ -4,7 +4,7 @@ Your access to {{{org_name}}} has been revoked
- Your acess to the {{org_name}} organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account. + Your access to the {{org_name}} organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account.