summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMathijs van Veluw <[email protected]>2024-10-19 18:22:21 +0200
committerGitHub <[email protected]>2024-10-19 18:22:21 +0200
commit13f4b66e6224775f194d4fc4274e7e948becb3a0 (patch)
treef1e88b9f946c8f894ef4ff93e976a82bbee8b872
parentc967d0ddc1da9a6f2f1bfa869fa27e2039b2eaac (diff)
downloadvaultwarden-13f4b66e6224775f194d4fc4274e7e948becb3a0.tar.gz
vaultwarden-13f4b66e6224775f194d4fc4274e7e948becb3a0.zip
Hide user name on invite status (#5110)
A possible user disclosure when you invite an user into an organization which already has an account on the same instance. This was because we always returned the user's name. To prevent this, this PR only returns the user's name if the status is accepted or higher, else we will return null. This is the same as Bitwarden does. Resolves a reported issue. Also resolved a new `nightly` reported clippy regarding a regex within a loop.
-rw-r--r--src/db/models/organization.rs10
-rw-r--r--src/main.rs2
2 files changed, 10 insertions, 2 deletions
diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs
index 21c241bf..5426fff0 100644
--- a/src/db/models/organization.rs
+++ b/src/db/models/organization.rs
@@ -232,6 +232,14 @@ impl UserOrganization {
false
}
+ /// Return the status of the user in an unrevoked state
+ pub fn get_unrevoked_status(&self) -> i32 {
+ if self.status <= UserOrgStatus::Revoked as i32 {
+ return self.status + ACTIVATE_REVOKE_DIFF;
+ }
+ self.status
+ }
+
pub fn set_external_id(&mut self, external_id: Option<String>) -> bool {
//Check if external id is empty. We don't want to have
//empty strings in the database
@@ -524,7 +532,7 @@ impl UserOrganization {
json!({
"id": self.uuid,
"userId": self.user_uuid,
- "name": user.name,
+ "name": if self.get_unrevoked_status() >= UserOrgStatus::Accepted as i32 { Some(user.name) } else { None },
"email": user.email,
"externalId": self.external_id,
"avatarColor": user.avatar_color,
diff --git a/src/main.rs b/src/main.rs
index a0b40a84..7e180e2e 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -516,10 +516,10 @@ async fn container_data_folder_is_persistent(data_folder: &str) -> bool {
format!(" /{data_folder} ")
};
let mut lines = BufReader::new(mountinfo).lines();
+ let re = regex::Regex::new(r"/volumes/[a-z0-9]{64}/_data /").unwrap();
while let Some(line) = lines.next_line().await.unwrap_or_default() {
// Only execute a regex check if we find the base match
if line.contains(&data_folder_match) {
- let re = regex::Regex::new(r"/volumes/[a-z0-9]{64}/_data /").unwrap();
if re.is_match(&line) {
return false;
}