Review fixes

3 weeks ago · 8bf97e6ec7
6 changed files with 16 additions and 15 deletions
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@ -546,7 +546,7 @@ async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToke

    member_to_edit.atype = new_type;
    // This check is also done at api::organizations::{accept_invite, _confirm_invite, _activate_member, edit_member}, update_membership_type
-    OrgPolicy::check_user_allowed(&member_to_edit, "modify", &mut conn).await?;
+    OrgPolicy::enforce_membership_policies(&member_to_edit, "change type of", &mut conn).await?;

    log_event(
        EventType::OrganizationUserUpdated as i32,
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@ -275,7 +275,7 @@ async fn accept_org_invite(
    member.reset_password_key = reset_password_key;

    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
-    OrgPolicy::check_user_allowed(&member, "join", conn).await?;
+    OrgPolicy::enforce_membership_policies(&member, "accept invitation of", conn).await?;

    member.save(conn).await?;

--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@ -1470,7 +1470,7 @@ async fn _confirm_invite(
    member_to_confirm.akey = key.to_string();

    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
-    OrgPolicy::check_user_allowed(&member_to_confirm, "confirm", conn).await?;
+    OrgPolicy::enforce_membership_policies(&member_to_confirm, "confirm", conn).await?;

    log_event(
        EventType::OrganizationUserConfirmed as i32,
@ -1630,7 +1630,7 @@ async fn edit_member(

    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
    // We need to perform the check after changing the type since `admin` is exempt.
-    OrgPolicy::check_user_allowed(&member_to_edit, "modify", &mut conn).await?;
+    OrgPolicy::enforce_membership_policies(&member_to_edit, "modify", &mut conn).await?;

    // Delete all the odd collections
    for c in CollectionUser::find_by_organization_and_user_uuid(&org_id, &member_to_edit.user_uuid, &mut conn).await {
@ -2132,7 +2132,7 @@ async fn put_policy(
        .await?;
    }

-    // When enabling the SingleOrg policy, remove this org's members that are members of other orgs
+    // When enabling the SingleOrg policy, revoke the memberships of users that are members of other organizations.
    if pol_type_enum == OrgPolicyType::SingleOrg && data.enabled {
        for mut member in Membership::find_by_org(&org_id, &mut conn).await.into_iter() {
            // Policy only applies to non-Owner/non-Admin members who have accepted joining the org
@ -2603,7 +2603,7 @@ async fn _restore_member(
            member.restore();
            // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
            // This check need to be done after restoring to work with the correct status
-            OrgPolicy::check_user_allowed(&member, "restore", conn).await?;
+            OrgPolicy::enforce_membership_policies(&member, "restore", conn).await?;
            member.save(conn).await?;

            log_event(
--- a/src/db/models/org_policy.rs
+++ b/src/db/models/org_policy.rs
@ -279,7 +279,7 @@ impl OrgPolicy {
        false
    }

-    pub async fn check_user_allowed(m: &Membership, action: &str, conn: &mut DbConn) -> EmptyResult {
+    pub async fn enforce_membership_policies(m: &Membership, action: &str, conn: &mut DbConn) -> EmptyResult {
        if m.atype < MembershipType::Admin && m.status > (MembershipStatus::Invited as i32) {
            // Enforce TwoFactor/TwoStep login
            if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::TwoFactorAuthentication, conn).await
@ -288,24 +288,25 @@ impl OrgPolicy {
                    if CONFIG.email_2fa_auto_fallback() {
                        two_factor::email::find_and_activate_email_2fa(&m.user_uuid, conn).await?;
                    } else {
-                        err!(format!("Cannot {} because 2FA is required (membership {})", action, m.uuid));
+                        err!(format!("Cannot {} member {} because 2FA is required", action, m.uuid));
                    }
                }
            }

            // Check if the user is part of another Orgnization with SingleOrg activated
            if Self::is_applicable_to_user(&m.user_uuid, OrgPolicyType::SingleOrg, Some(&m.org_uuid), conn).await {
-                err!(format!(
-                    "Cannot {} because another organization policy forbids it (membership {})",
-                    action, m.uuid
-                ));
+                err!(format!("Cannot {} member {} because another organization policy forbids it", action, m.uuid));
            }

+            // Check if the current org has `SingleOrg` activated that we are not part of another org.
            if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::SingleOrg, conn).await {
                if p.enabled
                    && Membership::count_accepted_and_confirmed_by_user(&m.user_uuid, &m.org_uuid, conn).await > 0
                {
-                    err!(format!("Cannot {} because the organization policy forbids being part of other organization (membership {})", action, m.uuid));
+                    err!(format!(
+                        "Cannot {} member {}  because the organization policy forbids being part of other organization",
+                        action, m.uuid
+                    ));
                }
            }
        }
--- a/src/static/templates/email/send_single_org_removed_from_org.hbs
+++ b/src/static/templates/email/send_single_org_removed_from_org.hbs
@ -1,4 +1,4 @@
 Your access to {{{org_name}}} has been revoked
 <!---------------->
-Your acess to the *{{org_name}}* organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account.
+Your access to the *{{org_name}}* organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account.
 {{> email/email_footer_text }}
--- a/src/static/templates/email/send_single_org_removed_from_org.html.hbs
+++ b/src/static/templates/email/send_single_org_removed_from_org.html.hbs
@ -4,7 +4,7 @@ Your access to {{{org_name}}} has been revoked
 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
   <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
      <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-         Your acess to the <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{org_name}}</b> organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account.
+         Your access to the <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{org_name}}</b> organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account.
      </td>
   </tr>
 </table>