From c84db0dacaa48c8fb2bec84c679d4292667d6b3a Mon Sep 17 00:00:00 2001
From: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
Date: Tue, 17 Jun 2025 11:15:36 +0200
Subject: [PATCH 1/2] allow signup for invited users (#5967)

invited users (e.g. via /admin panel or org invite) should be able to
register if email is disabled.
---
 src/api/identity.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/api/identity.rs b/src/api/identity.rs
index 9aba23d2..6a6e52fc 100644
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -718,7 +718,10 @@ async fn register_verification_email(
 ) -> ApiResult<RegisterVerificationResponse> {
     let data = data.into_inner();
 
-    if !CONFIG.is_signup_allowed(&data.email) {
+    // the registration can only continue if signup is allowed or there exists an invitation
+    if !(CONFIG.is_signup_allowed(&data.email)
+        || (!CONFIG.mail_enabled() && Invitation::find_by_mail(&data.email, &mut conn).await.is_some()))
+    {
         err!("Registration not allowed or user already exists")
     }
 

From 9059437c35e35ab8eb7d1d4716bf13eec0a4ee64 Mon Sep 17 00:00:00 2001
From: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
Date: Tue, 17 Jun 2025 18:55:11 +0200
Subject: [PATCH 2/2] fix account recovery withdrawal (#5968)

since `web-v2025.4.0` the client sends `""` instead of `null`, so we
also have to check whether the `reset_password_key` is empty or not.
---
 src/api/core/organizations.rs | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
index 5b912a36..737484a1 100644
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -3334,13 +3334,17 @@ async fn put_reset_password_enrollment(
 
     let reset_request = data.into_inner();
 
-    if reset_request.reset_password_key.is_none()
-        && OrgPolicy::org_is_reset_password_auto_enroll(&org_id, &mut conn).await
-    {
+    let reset_password_key = match reset_request.reset_password_key {
+        None => None,
+        Some(ref key) if key.is_empty() => None,
+        Some(key) => Some(key),
+    };
+
+    if reset_password_key.is_none() && OrgPolicy::org_is_reset_password_auto_enroll(&org_id, &mut conn).await {
         err!("Reset password can't be withdrawn due to an enterprise policy");
     }
 
-    if reset_request.reset_password_key.is_some() {
+    if reset_password_key.is_some() {
         PasswordOrOtpData {
             master_password_hash: reset_request.master_password_hash,
             otp: reset_request.otp,
@@ -3349,7 +3353,7 @@ async fn put_reset_password_enrollment(
         .await?;
     }
 
-    member.reset_password_key = reset_request.reset_password_key;
+    member.reset_password_key = reset_password_key;
     member.save(&mut conn).await?;
 
     let log_id = if member.reset_password_key.is_some() {