Skip to content

Fix SSO_ONLY users unable to accept org invites (#7072) #7079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pmhnam wants to merge 1 commit into
base: main
Choose a base branch
from
+21 −7
Open

Fix SSO_ONLY users unable to accept org invites (#7072) #7079

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 21 additions & 7 deletions src/api/core/organizations.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1102,6 +1102,11 @@ async fn send_invite(
if !CONFIG.mail_enabled() && !user.password_hash.is_empty() {
member_status = MembershipStatus::Accepted as i32;
}
// SSO_ONLY users have no master password and cannot use the email invite
// acceptance flow, so automatically accept them
Comment on lines +1105 to +1106
Copy link
Copy Markdown
Collaborator

@BlackDex BlackDex Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SSO_ONLY User do have a master-password, not sure why you think this isn't the case.
I'm not sure regarding the flow though how that works. But every user still needs a master-password.

SSO In Bitwarden isn't just login.

if CONFIG.sso_enabled() && CONFIG.sso_only() && user.password_hash.is_empty() {
member_status = MembershipStatus::Accepted as i32;
}
Comment thread
pmhnam marked this conversation as resolved.
user
}
}
Expand All @@ -1113,7 +1118,10 @@ async fn send_invite(
new_member.status = member_status;
new_member.save(&conn).await?;

if CONFIG.mail_enabled() {
// Only send the invite email if the member is still in the Invited state.
// SSO_ONLY users are auto-accepted above and should not receive an invite
// email with a link they cannot use.
if CONFIG.mail_enabled() && member_status == MembershipStatus::Invited as i32 {
Comment on lines +1121 to +1124
Copy link

Copilot AI Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When member_status is force-set to Accepted (e.g., for SSO_ONLY users), the org policy checks that normally run during acceptance (OrgPolicy::check_user_allowed, see src/api/core/mod.rs:275+) are bypassed here. This can leave members in Accepted state even if 2FA/SingleOrg policies would forbid joining. Consider running OrgPolicy::check_user_allowed before persisting an Accepted status (or otherwise ensuring policies are enforced at this transition).

Copilot uses AI. Check for mistakes.
let org_name = match Organization::find_by_uuid(&org_id, &conn).await {
Some(org) => org.name,
None => err!("Error looking up organization"),
Expand Down Expand Up @@ -1249,12 +1257,18 @@ async fn _reinvite_member(
err!("Invitations are not allowed.")
}

let org_name = match Organization::find_by_uuid(org_id, conn).await {
Some(org) => org.name,
None => err!("Error looking up organization."),
};

if CONFIG.mail_enabled() {
if CONFIG.sso_enabled() && CONFIG.sso_only() && user.password_hash.is_empty() {
// SSO_ONLY users have no master password and cannot use the email invite
Copy link
Copy Markdown
Collaborator

@BlackDex BlackDex Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, this statement is not true

// acceptance flow, so automatically accept them
Invitation::take(&user.email, conn).await;
let mut member = member;
member.status = MembershipStatus::Accepted as i32;
member.save(conn).await?;
Comment on lines +1264 to +1266
Copy link

Copilot AI Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This auto-accept path sets member.status = Accepted without enforcing OrgPolicy::check_user_allowed (2FA / SingleOrg). The regular acceptance flow enforces these policies; consider applying the same check here before saving the updated membership status.

Copilot uses AI. Check for mistakes.
} else if CONFIG.mail_enabled() {
let org_name = match Organization::find_by_uuid(org_id, conn).await {
Some(org) => org.name,
None => err!("Error looking up organization."),
};
mail::send_invite(&user, org_id.clone(), member.uuid, &org_name, Some(invited_by_email.to_string())).await?;
} else if user.password_hash.is_empty() {
let invitation = Invitation::new(&user.email);
Expand Down
Loading