From ec5679a6d1ef9651c01dc719c31c680dbeaa626d Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Fri, 17 Jan 2025 22:22:40 +0100 Subject: [PATCH] prevent wrong user from accepting invitation --- src/api/core/organizations.rs | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index aac9313931..efaa4ac1ca 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -1125,20 +1125,23 @@ async fn accept_invite( org_id: OrganizationId, member_id: MembershipId, data: Json, + headers: Headers, mut conn: DbConn, ) -> EmptyResult { // The web-vault passes org_id and member_id in the URL, but we are just reading them from the JWT instead let data: AcceptData = data.into_inner(); let claims = decode_invite(&data.token)?; + // Don't allow other users from accepting an invitation. + if !claims.email.eq(&headers.user.email) { + err!("Invitation was issued to a different account", "Claim does not match user_id") + } + // If a claim does not have a member_id or it does not match the one in from the URI, something is wrong. if !claims.member_id.eq(&member_id) { err!("Error accepting the invitation", "Claim does not match the member_id") } - let Some(user) = User::find_by_mail(&claims.email, &mut conn).await else { - err!("Invited user not found") - }; let member = &claims.member_id; let org = &claims.org_id; @@ -1166,7 +1169,7 @@ async fn accept_invite( Ok(_) => {} Err(OrgPolicyErr::TwoFactorMissing) => { if CONFIG.email_2fa_auto_fallback() { - two_factor::email::activate_email_2fa(&user, &mut conn).await?; + two_factor::email::activate_email_2fa(&headers.user, &mut conn).await?; } else { err!("You cannot join this organization until you enable two-step login on your user account"); }