saltyming/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-07-05 03:55:02 +00:00
Code Activity

prevent wrong user from accepting invitation

Browse source
This commit is contained in:
Stefan Melmuk 2025-01-17 22:22:40 +01:00
parent 04868cca36
commit ec5679a6d1
No known key found for this signature in database
GPG key ID: 817020C608FE9C09
1 changed files with 7 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/api/core/organizations.rs
View file

@ -1125,20 +1125,23 @@ async fn accept_invite(
org_id: OrganizationId, org_id: OrganizationId,
member_id: MembershipId, member_id: MembershipId,
data: Json<AcceptData>, data: Json<AcceptData>,
headers: Headers,
mut conn: DbConn, mut conn: DbConn,
) -> EmptyResult { ) -> EmptyResult {
// The web-vault passes org_id and member_id in the URL, but we are just reading them from the JWT instead // The web-vault passes org_id and member_id in the URL, but we are just reading them from the JWT instead
let data: AcceptData = data.into_inner(); let data: AcceptData = data.into_inner();
let claims = decode_invite(&data.token)?; let claims = decode_invite(&data.token)?;
// Don't allow other users from accepting an invitation.
if !claims.email.eq(&headers.user.email) {
err!("Invitation was issued to a different account", "Claim does not match user_id")
}
// If a claim does not have a member_id or it does not match the one in from the URI, something is wrong. // If a claim does not have a member_id or it does not match the one in from the URI, something is wrong.
if !claims.member_id.eq(&member_id) { if !claims.member_id.eq(&member_id) {
err!("Error accepting the invitation", "Claim does not match the member_id") err!("Error accepting the invitation", "Claim does not match the member_id")
} }
let Some(user) = User::find_by_mail(&claims.email, &mut conn).await else {
err!("Invited user not found")
};
let member = &claims.member_id; let member = &claims.member_id;
let org = &claims.org_id; let org = &claims.org_id;
@ -1166,7 +1169,7 @@ async fn accept_invite(
Ok(_) => {} Ok(_) => {}
Err(OrgPolicyErr::TwoFactorMissing) => { Err(OrgPolicyErr::TwoFactorMissing) => {
if CONFIG.email_2fa_auto_fallback() { if CONFIG.email_2fa_auto_fallback() {
two_factor::email::activate_email_2fa(&user, &mut conn).await?; two_factor::email::activate_email_2fa(&headers.user, &mut conn).await?;
} else { } else {
err!("You cannot join this organization until you enable two-step login on your user account"); err!("You cannot join this organization until you enable two-step login on your user account");
} }