Disable signups if SSO_ONLY is activated

dani-garcia · Jan 3, 2025 · 7140432 · 7140432
1 parent 0ba04be
commit 7140432
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/src/api/core/mod.rs b/src/api/core/mod.rs
@@ -206,7 +206,7 @@ fn config() -> Json<Value> {
           "url": "https://github.com/dani-garcia/vaultwarden"
         },
         "settings": {
-            "disableUserRegistration": !crate::CONFIG.signups_allowed() && crate::CONFIG.signups_domains_whitelist().is_empty(),
+            "disableUserRegistration": crate::CONFIG.is_signup_disabled(),
         },
         "environment": {
           "vault": domain,

diff --git a/src/api/web.rs b/src/api/web.rs
@@ -93,7 +93,7 @@ fn vaultwarden_css() -> Cached<Css<String>> {
         "load_user_scss": true,
         "mail_enabled": CONFIG.mail_enabled(),
         "sends_allowed": CONFIG.sends_allowed(),
-        "signup_disabled": !CONFIG.signups_allowed() && CONFIG.signups_domains_whitelist().is_empty(),
+        "signup_disabled": CONFIG.is_signup_disabled(),
         "sso_disabled": !CONFIG.sso_enabled(),
         "sso_only": CONFIG.sso_enabled() && CONFIG.sso_only(),
         "vw_version": *VW_VERSION,

diff --git a/src/config.rs b/src/config.rs
@@ -1292,6 +1292,14 @@ impl Config {
         self.update_config(builder)
     }
 
+    // The `signups_allowed` setting is overrided if:
+    //  - The email whitelist is not empty (will allow signups).
+    //  - The sso is activated and password login is disabled (will disable signups).
+    pub fn is_signup_disabled(&self) -> bool {
+        (!self.signups_allowed() && self.signups_domains_whitelist().is_empty())
+            || (self.sso_enabled() && self.sso_only())
+    }
+
     /// Tests whether an email's domain is allowed. A domain is allowed if it
     /// is in signups_domains_whitelist, or if no whitelist is set (so there
     /// are no domain restrictions in effect).
@@ -1310,12 +1318,7 @@ impl Config {
     /// Tests whether signup is allowed for an email address, taking into
     /// account the signups_allowed and signups_domains_whitelist settings.
     pub fn is_signup_allowed(&self, email: &str) -> bool {
-        if !self.signups_domains_whitelist().is_empty() {
-            // The whitelist setting overrides the signups_allowed setting.
-            self.is_email_domain_allowed(email)
-        } else {
-            self.signups_allowed()
-        }
+        !self.is_signup_disabled() && self.is_email_domain_allowed(email)
     }
 
     /// Tests whether the specified user is allowed to create an organization.