topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix SSO_ONLY users unable to accept org invites (#7072) 

SSO_ONLY users have no master password and cannot use the email-based
invite acceptance flow. This change auto-accepts organization invitations
for SSO_ONLY users who already exist, allowing them to proceed directly
to the confirmation step by an admin.

Fixes #7072
pull/7079/head
pmhnam 2 weeks ago
parent
a6b43651ca
commit
994ee0d374
1 changed files with 21 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 20
      src/api/core/organizations.rs

20
src/api/core/organizations.rs
View File

@ -1102,6 +1102,11 @@ async fn send_invite(
if !CONFIG.mail_enabled() && !user.password_hash.is_empty() { if !CONFIG.mail_enabled() && !user.password_hash.is_empty() {
member_status = MembershipStatus::Accepted as i32; member_status = MembershipStatus::Accepted as i32;
} }
// SSO_ONLY users have no master password and cannot use the email invite
// acceptance flow, so automatically accept them
if CONFIG.sso_enabled() && CONFIG.sso_only() && user.password_hash.is_empty() {
member_status = MembershipStatus::Accepted as i32;
}
user user
} }
} }
@ -1113,7 +1118,10 @@ async fn send_invite(
new_member.status = member_status; new_member.status = member_status;
new_member.save(&conn).await?; new_member.save(&conn).await?;
if CONFIG.mail_enabled() { // Only send the invite email if the member is still in the Invited state.
// SSO_ONLY users are auto-accepted above and should not receive an invite
// email with a link they cannot use.
if CONFIG.mail_enabled() && member_status == MembershipStatus::Invited as i32 {
let org_name = match Organization::find_by_uuid(&org_id, &conn).await { let org_name = match Organization::find_by_uuid(&org_id, &conn).await {
Some(org) => org.name, Some(org) => org.name,
None => err!("Error looking up organization"), None => err!("Error looking up organization"),
@ -1249,12 +1257,18 @@ async fn _reinvite_member(
err!("Invitations are not allowed.") err!("Invitations are not allowed.")
} }
if CONFIG.sso_enabled() && CONFIG.sso_only() && user.password_hash.is_empty() {
// SSO_ONLY users have no master password and cannot use the email invite
// acceptance flow, so automatically accept them
Invitation::take(&user.email, conn).await;
let mut member = member;
member.status = MembershipStatus::Accepted as i32;
member.save(conn).await?;
} else if CONFIG.mail_enabled() {
let org_name = match Organization::find_by_uuid(org_id, conn).await { let org_name = match Organization::find_by_uuid(org_id, conn).await {
Some(org) => org.name, Some(org) => org.name,
None => err!("Error looking up organization."), None => err!("Error looking up organization."),
}; };
if CONFIG.mail_enabled() {
mail::send_invite(&user, org_id.clone(), member.uuid, &org_name, Some(invited_by_email.to_string())).await?; mail::send_invite(&user, org_id.clone(), member.uuid, &org_name, Some(invited_by_email.to_string())).await?;
} else if user.password_hash.is_empty() { } else if user.password_hash.is_empty() {
let invitation = Invitation::new(&user.email); let invitation = Invitation::new(&user.email);

Write Preview
Loading…
Cancel
Save