Disable signups if SSO_ONLY is activated

3 months ago · ce5368f7d1
3 changed files with 11 additions and 8 deletions
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@ -218,7 +218,7 @@ fn config() -> Json<Value> {
          "url": "https://github.com/dani-garcia/vaultwarden"
        },
        "settings": {
-            "disableUserRegistration": !crate::CONFIG.signups_allowed() && crate::CONFIG.signups_domains_whitelist().is_empty(),
+            "disableUserRegistration": crate::CONFIG.is_signup_disabled(),
        },
        "environment": {
          "vault": domain,
--- a/src/api/web.rs
+++ b/src/api/web.rs
@ -58,7 +58,7 @@ fn vaultwarden_css() -> Cached<Css<String>> {
        "load_user_scss": true,
        "mail_enabled": CONFIG.mail_enabled(),
        "sends_allowed": CONFIG.sends_allowed(),
-        "signup_disabled": !CONFIG.signups_allowed() && CONFIG.signups_domains_whitelist().is_empty(),
+        "signup_disabled": CONFIG.is_signup_disabled(),
        "sso_disabled": !CONFIG.sso_enabled(),
        "sso_only": CONFIG.sso_enabled() && CONFIG.sso_only(),
        "yubico_enabled": CONFIG._enable_yubico() && (CONFIG.yubico_client_id().is_some() == CONFIG.yubico_secret_key().is_some()),
--- a/src/config.rs
+++ b/src/config.rs
@ -1292,6 +1292,14 @@ impl Config {
        self.update_config(builder)
    }

+    // The `signups_allowed` setting is overrided if:
+    //  - The email whitelist is not empty (will allow signups).
+    //  - The sso is activated and password login is disabled (will disable signups).
+    pub fn is_signup_disabled(&self) -> bool {
+        (!self.signups_allowed() && self.signups_domains_whitelist().is_empty())
+            || (self.sso_enabled() && self.sso_only())
+    }
+
    /// Tests whether an email's domain is allowed. A domain is allowed if it
    /// is in signups_domains_whitelist, or if no whitelist is set (so there
    /// are no domain restrictions in effect).
@ -1310,12 +1318,7 @@ impl Config {
    /// Tests whether signup is allowed for an email address, taking into
    /// account the signups_allowed and signups_domains_whitelist settings.
    pub fn is_signup_allowed(&self, email: &str) -> bool {
-        if !self.signups_domains_whitelist().is_empty() {
-            // The whitelist setting overrides the signups_allowed setting.
-            self.is_email_domain_allowed(email)
-        } else {
-            self.signups_allowed()
-        }
+        !self.is_signup_disabled() && self.is_email_domain_allowed(email)
    }

    /// Tests whether the specified user is allowed to create an organization.