Skip to content

Commit

Permalink
revoke only confirmed users when enforcing 2FA
Browse files Browse the repository at this point in the history 
we make an exception for non-confirmed users to speed up the invitation
process as they would have to be restored before they can accept their
invitation or be confirmed.

if email is enabled, invited users have to add a second factor before
they can accept the invitation to an organization with 2fa policy.

and if it is not enabled that check is already done when confirming the
2fa policy.
  • Loading branch information
@stefan0xC
stefan0xC committed Oct 23, 2023
1 parent 93dac15 commit e0a693d
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 6 deletions.
8 changes: 2 additions & 6 deletions src/api/core/two_factor/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,13 +210,9 @@ pub async fn enforce_2fa_policy_for_org(
conn: &mut DbConn,
) -> EmptyResult {
let org = Organization::find_by_uuid(org_uuid, conn).await.unwrap();
for member in UserOrganization::find_by_org(org_uuid, conn).await.into_iter() {
for member in UserOrganization::find_confirmed_by_org(org_uuid, conn).await.into_iter() {
// Don't enforce the policy for Admins and Owners.
// Invited users will get an error when they try to accept the invite.
if member.atype < UserOrgType::Admin
&& member.status != UserOrgStatus::Invited as i32
&& TwoFactor::find_by_user(&member.user_uuid, conn).await.is_empty()
{
if member.atype < UserOrgType::Admin && TwoFactor::find_by_user(&member.user_uuid, conn).await.is_empty() {
if CONFIG.mail_enabled() {
let user = User::find_by_uuid(&member.user_uuid, conn).await.unwrap();
mail::send_2fa_removed_from_org(&user.email, &org.name).await?;
Expand Down
10 changes: 10 additions & 0 deletions src/db/models/organization.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -665,6 +665,16 @@ impl UserOrganization {
}}
}

pub async fn find_confirmed_by_org(org_uuid: &str, conn: &mut DbConn) -> Vec<Self> {
db_run! { conn: {
users_organizations::table
.filter(users_organizations::org_uuid.eq(org_uuid))
.filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
.load::<UserOrganizationDb>(conn)
.unwrap_or_default().from_db()
}}
}

pub async fn count_by_org(org_uuid: &str, conn: &mut DbConn) -> i64 {
db_run! { conn: {
users_organizations::table
Expand Down

0 comments on commit e0a693d

Please sign in to comment.