Make org owner invitations respect the email domain whitelist

This closes a loophole where org owners can invite new users from any domain.
5 years ago · e4d08836e2
parent c2a324e5da
commit e4d08836e2
1 changed files with 6 additions and 2 deletions
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@ -485,7 +485,11 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
        let user = match User::find_by_mail(&email, &conn) {
            None => {
                if !CONFIG.invitations_allowed() {
-                    err!(format!("User email does not exist: {}", email))
+                    err!(format!("User does not exist: {}", email))
+                }
+
+                if !CONFIG.signups_domains_whitelist().is_empty() && !CONFIG.is_email_domain_whitelisted(&email) {
+                    err!("Email domain not eligible for invitations")
                }

                if !CONFIG.mail_enabled() {
@ -978,4 +982,4 @@ fn put_policy(org_id: String, pol_type: i32, data: Json<PolicyData>, _headers: A
    policy.save(&conn)?;

    Ok(Json(policy.to_json()))
-}
+}