1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-05-29 06:53:57 +00:00

Clean up domain whitelist logic

* Make `SIGNUPS_DOMAINS_WHITELIST` override the `SIGNUPS_ALLOWED` setting.
  Otherwise, a common pitfall is to set `SIGNUPS_DOMAINS_WHITELIST` without
  realizing that `SIGNUPS_ALLOWED=false` must also be set.

* Whitespace is now accepted in `SIGNUPS_DOMAINS_WHITELIST`. That is,
  `foo.com, bar.com` is now equivalent to `foo.com,bar.com`.

* Add validation on `SIGNUPS_DOMAINS_WHITELIST`. For example, `foo.com,`
  is rejected as containing an empty token.
This commit is contained in:
Jeremy Lin 2020-04-09 01:42:27 -07:00
parent 77f95146d6
commit c2a324e5da
2 changed files with 34 additions and 13 deletions

View file

@ -68,7 +68,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
let mut user = match User::find_by_mail(&data.Email, &conn) {
Some(user) => {
if !user.password_hash.is_empty() {
if CONFIG.signups_allowed() {
if CONFIG.is_signup_allowed(&data.Email) {
err!("User already exists")
} else {
err!("Registration not allowed or user already exists")
@ -89,14 +89,17 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
}
user
} else if CONFIG.signups_allowed() {
} else if CONFIG.is_signup_allowed(&data.Email) {
err!("Account with this email already exists")
} else {
err!("Registration not allowed or user already exists")
}
}
None => {
if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) || CONFIG.can_signup_user(&data.Email) {
// Order is important here; the invitation check must come first
// because the bitwarden_rs admin can invite anyone, regardless
// of other signup restrictions.
if Invitation::take(&data.Email, &conn) || CONFIG.is_signup_allowed(&data.Email) {
User::new(data.Email.clone())
} else {
err!("Registration not allowed or user already exists")
@ -371,7 +374,7 @@ fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: Db
err!("Email already in use");
}
if !CONFIG.signups_allowed() && !CONFIG.can_signup_user(&data.NewEmail) {
if !CONFIG.is_signup_allowed(&data.NewEmail) {
err!("Email cannot be changed to this address");
}