Resolves dani-garcia/bitwarden_rs#981

* a user without 2fa trying to join a 2fa org will fail, but user gets an email to enable 2fa * a user disabling 2fa will be removed from 2fa orgs; user gets an email for each org * an org enabling 2fa policy will remove users without 2fa; users get an email
2025-06-02 17:03:56 +00:00 · 2021-04-11 22:57:17 -04:00 · 2021-04-11 22:57:17 -04:00 · d75a80bd2d
commit d75a80bd2d
parent b268c3dd1c
8 changed files with 228 additions and 2 deletions
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@ -647,6 +647,21 @@ fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptD
                    err!("User already accepted the invitation")
                }

+                let user_twofactor_disabled = TwoFactor::find_by_user(&user_org.user_uuid, &conn).is_empty();
+
+                let policy = OrgPolicyType::TwoFactorAuthentication as i32;
+                let org_twofactor_policy_enabled = match OrgPolicy::find_by_org_and_type(&user_org.org_uuid, policy, &conn) {
+                    Some(p) => p.enabled,
+                    None => false,
+                };
+
+                if org_twofactor_policy_enabled && user_twofactor_disabled {
+                    let org = Organization::find_by_uuid(&org, &conn).unwrap();
+                    // you haven't joined yet, but mail explains why you were unable to accept invitation
+                    mail::send_2fa_removed_from_org(&claims.email, &org.name)?;
+                    err!("Organization policy requires that you enable two Two-step Login begin joining.")
+                }
+
                user_org.status = UserOrgStatus::Accepted as i32;
                user_org.save(&conn)?;
            }
@ -996,6 +1011,24 @@ fn put_policy(org_id: String, pol_type: i32, data: Json<PolicyData>, _headers: A
        Some(pt) => pt,
        None => err!("Invalid policy type"),
    };
+       
+    if pol_type_enum == OrgPolicyType::TwoFactorAuthentication && data.enabled {
+
+        let org_list = UserOrganization::find_by_org(&org_id, &conn);
+
+        for user_org in org_list.into_iter() {
+            let user_twofactor_disabled = TwoFactor::find_by_user(&user_org.user_uuid, &conn).is_empty();
+
+            if user_twofactor_disabled && user_org.atype < UserOrgType::Admin {
+
+                let org = Organization::find_by_uuid(&user_org.org_uuid, &conn).unwrap();
+                let user = User::find_by_uuid(&user_org.user_uuid, &conn).unwrap();
+
+                mail::send_2fa_removed_from_org(&user.email, &org.name)?;
+                user_org.delete(&conn)?;
+            }
+        }        
+    }

    let mut policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn) {
        Some(p) => p,