diff --git a/src/Api/Controllers/OrganizationsController.cs b/src/Api/Controllers/OrganizationsController.cs
index 310f3387d0..969a99d15a 100644
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@@ -4,6 +4,7 @@ using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Bit.Core.Repositories;
using Microsoft.AspNetCore.Authorization;
+using Bit.Core.Enums;
using Bit.Core.Models.Api;
using Bit.Core.Exceptions;
using Bit.Core.Services;
@@ -25,6 +26,7 @@ namespace Bit.Api.Controllers
private readonly IPaymentService _paymentService;
private readonly CurrentContext _currentContext;
private readonly GlobalSettings _globalSettings;
+ private readonly IPolicyRepository _policyRepository;
public OrganizationsController(
IOrganizationRepository organizationRepository,
@@ -33,7 +35,8 @@ namespace Bit.Api.Controllers
IUserService userService,
IPaymentService paymentService,
CurrentContext currentContext,
- GlobalSettings globalSettings)
+ GlobalSettings globalSettings,
+ IPolicyRepository policyRepository)
{
_organizationRepository = organizationRepository;
_organizationUserRepository = organizationUserRepository;
@@ -42,6 +45,7 @@ namespace Bit.Api.Controllers
_paymentService = paymentService;
_currentContext = currentContext;
_globalSettings = globalSettings;
+ _policyRepository = policyRepository;
}
[HttpGet("{id}")]
@@ -156,6 +160,13 @@ namespace Bit.Api.Controllers
throw new Exception("Invalid plan selected.");
}
+ var policies = await _policyRepository.GetManyByUserIdAsync(user.Id);
+ if (policies.Any(policy => policy.Type == PolicyType.OnlyOrg))
+ {
+ throw new Exception("You may not create an organization. You belong to an organization " +
+ "which has a policy that prohibits you from being a member of any other organization.");
+ }
+
var organizationSignup = model.ToOrganizationSignup(user);
var result = await _organizationService.SignUpAsync(organizationSignup);
return new OrganizationResponseModel(result.Item1);
@@ -177,6 +188,13 @@ namespace Bit.Api.Controllers
throw new BadRequestException("Invalid license");
}
+ var policies = await _policyRepository.GetManyByUserIdAsync(user.Id);
+ if (policies.Any(policy => policy.Type == PolicyType.OnlyOrg))
+ {
+ throw new Exception("You may not create an organization. You belong to an organization " +
+ "which has a policy that prohibits you from being a member of any other organization.");
+ }
+
var result = await _organizationService.SignUpAsync(license, user, model.Key, model.CollectionName);
return new OrganizationResponseModel(result.Item1);
}
diff --git a/src/Core/Enums/PolicyType.cs b/src/Core/Enums/PolicyType.cs
index ebed30b323..7735470373 100644
--- a/src/Core/Enums/PolicyType.cs
+++ b/src/Core/Enums/PolicyType.cs
@@ -4,6 +4,7 @@
{
TwoFactorAuthentication = 0,
MasterPassword = 1,
- PasswordGenerator = 2
+ PasswordGenerator = 2,
+ OnlyOrg = 3,
}
}
diff --git a/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.html.hbs b/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.html.hbs
new file mode 100644
index 0000000000..bd2e4eb946
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.html.hbs
@@ -0,0 +1,9 @@
+{{#>FullHtmlLayout}}
+
+
+
+ Your user account has been removed from the {{OrganizationName}} organization because you are a part of another organization. The {{OrganizationName}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before you can re-join this organization you need to leave all other organizations or join with a different account.
+
+
+
+{{/FullHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.text.hbs b/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.text.hbs
new file mode 100644
index 0000000000..44ef628a90
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.text.hbs
@@ -0,0 +1,5 @@
+{{#>BasicTextLayout}}
+Your user account has been removed from the {{OrganizationName}} organization because you are a part of another
+organization. The {{OrganizationName}} has enabled a policy that prevents users from being a part of multiple organizations. Before you can re-join this organization you need to leave all other organizations, or join with a
+new account.
+{{/BasicTextLayout}}
diff --git a/src/Core/Models/Mail/OrganizationUserRemovedForPolicyOnlyOrgViewModel.cs b/src/Core/Models/Mail/OrganizationUserRemovedForPolicyOnlyOrgViewModel.cs
new file mode 100644
index 0000000000..d1425d00fd
--- /dev/null
+++ b/src/Core/Models/Mail/OrganizationUserRemovedForPolicyOnlyOrgViewModel.cs
@@ -0,0 +1,7 @@
+namespace Bit.Core.Models.Mail
+{
+ public class OrganizationUserRemovedForPolicyOnlyOrgViewModel : BaseMailModel
+ {
+ public string OrganizationName { get; set; }
+ }
+}
diff --git a/src/Core/Repositories/IOrganizationUserRepository.cs b/src/Core/Repositories/IOrganizationUserRepository.cs
index a911e6b5ef..6bd3abf783 100644
--- a/src/Core/Repositories/IOrganizationUserRepository.cs
+++ b/src/Core/Repositories/IOrganizationUserRepository.cs
@@ -26,5 +26,6 @@ namespace Bit.Core.Repositories
Task UpdateGroupsAsync(Guid orgUserId, IEnumerable groupIds);
Task CreateAsync(OrganizationUser obj, IEnumerable collections);
Task ReplaceAsync(OrganizationUser obj, IEnumerable collections);
+ Task> GetManyByManyUsersAsync(IEnumerable userIds);
}
}
diff --git a/src/Core/Repositories/SqlServer/OrganizationUserRepository.cs b/src/Core/Repositories/SqlServer/OrganizationUserRepository.cs
index bfc6a494a1..45db606312 100644
--- a/src/Core/Repositories/SqlServer/OrganizationUserRepository.cs
+++ b/src/Core/Repositories/SqlServer/OrganizationUserRepository.cs
@@ -231,5 +231,18 @@ namespace Bit.Core.Repositories.SqlServer
{
public DataTable Collections { get; set; }
}
+
+ public async Task> GetManyByManyUsersAsync(IEnumerable userIds)
+ {
+ using (var connection = new SqlConnection(ConnectionString))
+ {
+ var results = await connection.QueryAsync(
+ "[dbo].[OrganizationUser_ReadByUserIds]",
+ new { UserIds = userIds.ToGuidIdArrayTVP() },
+ commandType: CommandType.StoredProcedure);
+
+ return results.ToList();
+ }
+ }
}
}
diff --git a/src/Core/Resources/SharedResources.en.resx b/src/Core/Resources/SharedResources.en.resx
index 3df8e72c00..b751d85821 100644
--- a/src/Core/Resources/SharedResources.en.resx
+++ b/src/Core/Resources/SharedResources.en.resx
@@ -539,4 +539,13 @@
OIDC Redirect Behavior
+
+ Only Organization
+
+
+ Restrict users from being able to join any other organizations.
+
+
+ Organization members who are already a part of another organization will be removed from this organization and will receive an email notifying them about the change.
+
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index d4c84b39f3..9b22da00f0 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -28,5 +28,6 @@ namespace Bit.Core.Services
Task SendLicenseExpiredAsync(IEnumerable emails, string organizationName = null);
Task SendNewDeviceLoggedInEmail(string email, string deviceType, DateTime timestamp, string ip);
Task SendRecoverTwoFactorEmail(string email, DateTime timestamp, string ip);
+ Task SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(string organizationName, string email);
}
}
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index da5ab933a0..289153b09b 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -326,6 +326,20 @@ namespace Bit.Core.Services
await _mailDeliveryService.SendEmailAsync(message);
}
+ public async Task SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(string organizationName, string email)
+ {
+ var message = CreateDefaultMessage($"You have been removed from {organizationName}", email);
+ var model = new OrganizationUserRemovedForPolicyOnlyOrgViewModel
+ {
+ OrganizationName = CoreHelpers.SanitizeForEmail(organizationName),
+ WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
+ SiteName = _globalSettings.SiteName
+ };
+ await AddMessageContentAsync(message, "OrganizationUserRemovedForPolicyOnlyOrg", model);
+ message.Category = "OrganizationUserRemovedForPolicyOnlyOrg";
+ await _mailDeliveryService.SendEmailAsync(message);
+ }
+
private MailMessage CreateDefaultMessage(string subject, string toEmail)
{
return CreateDefaultMessage(subject, new List { toEmail });
diff --git a/src/Core/Services/Implementations/OrganizationService.cs b/src/Core/Services/Implementations/OrganizationService.cs
index 42e0da22b5..0342f66e24 100644
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@@ -1135,10 +1135,34 @@ namespace Bit.Core.Services
}
}
+ ICollection orgPolicies = null;
+ ICollection userPolicies = null;
+ async Task hasPolicyAsync(PolicyType policyType, bool useUserPolicies = false)
+ {
+ var policies = useUserPolicies ?
+ userPolicies = userPolicies ?? await _policyRepository.GetManyByUserIdAsync(user.Id) :
+ orgPolicies = orgPolicies ?? await _policyRepository.GetManyByOrganizationIdAsync(orgUser.OrganizationId);
+
+ return policies.Any(p => p.Type == policyType && p.Enabled);
+ }
+ var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+ if (userOrgs.Any(ou => ou.OrganizationId != orgUser.OrganizationId && ou.Status != OrganizationUserStatusType.Invited))
+ {
+ if (await hasPolicyAsync(PolicyType.OnlyOrg))
+ {
+ throw new BadRequestException("You may not join this organization until you leave or remove " +
+ "all other organizations.");
+ }
+ if (await hasPolicyAsync(PolicyType.OnlyOrg, true))
+ {
+ throw new BadRequestException("You cannot join this organization because you are a member of " +
+ "an organization which forbids it");
+ }
+ }
+
if (!await userService.TwoFactorIsEnabledAsync(user))
{
- var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgUser.OrganizationId);
- if (policies.Any(p => p.Type == PolicyType.TwoFactorAuthentication && p.Enabled))
+ if (await hasPolicyAsync(PolicyType.TwoFactorAuthentication))
{
throw new BadRequestException("You cannot join this organization until you enable " +
"two-step login on your user account.");
@@ -1185,6 +1209,16 @@ namespace Bit.Core.Services
throw new BadRequestException("User does not have two-step login enabled.");
}
+ var usingOnlyOrgPolicy = policies.Any(p => p.Type == PolicyType.OnlyOrg && p.Enabled);
+ if (usingOnlyOrgPolicy)
+ {
+ var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+ if (userOrgs.Any(ou => ou.OrganizationId != organizationId && ou.Status != OrganizationUserStatusType.Invited))
+ {
+ throw new BadRequestException("User is a member of another organization.");
+ }
+ }
+
orgUser.Status = OrganizationUserStatusType.Confirmed;
orgUser.Key = key;
orgUser.Email = null;
diff --git a/src/Core/Services/Implementations/PolicyService.cs b/src/Core/Services/Implementations/PolicyService.cs
index 8d0fb9b4dd..a9a59cdc30 100644
--- a/src/Core/Services/Implementations/PolicyService.cs
+++ b/src/Core/Services/Implementations/PolicyService.cs
@@ -1,6 +1,8 @@
using System;
+using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
+using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Models.Table;
using Bit.Core.Repositories;
@@ -53,27 +55,44 @@ namespace Bit.Core.Services
var currentPolicy = await _policyRepository.GetByIdAsync(policy.Id);
if (!currentPolicy?.Enabled ?? true)
{
- if (currentPolicy.Type == Enums.PolicyType.TwoFactorAuthentication)
+ Organization organization = null;
+ var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(
+ policy.OrganizationId);
+ var removableOrgUsers = orgUsers.Where(ou =>
+ ou.Status != Enums.OrganizationUserStatusType.Invited &&
+ ou.Type != Enums.OrganizationUserType.Owner && ou.UserId != savingUserId);
+ switch (currentPolicy.Type)
{
- Organization organization = null;
- var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(
- policy.OrganizationId);
- foreach (var orgUser in orgUsers.Where(ou =>
- ou.Status != Enums.OrganizationUserStatusType.Invited &&
- ou.Type != Enums.OrganizationUserType.Owner))
- {
- if (orgUser.UserId != savingUserId && !await userService.TwoFactorIsEnabledAsync(orgUser))
+ case Enums.PolicyType.TwoFactorAuthentication:
+ foreach (var orgUser in removableOrgUsers)
{
- if (organization == null)
+ if (!await userService.TwoFactorIsEnabledAsync(orgUser))
{
- organization = await _organizationRepository.GetByIdAsync(policy.OrganizationId);
+ organization = organization ?? await _organizationRepository.GetByIdAsync(policy.OrganizationId);
+ await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
+ savingUserId);
+ await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
+ organization.Name, orgUser.Email);
}
- await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
- savingUserId);
- await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
- organization.Name, orgUser.Email);
}
- }
+ break;
+ case Enums.PolicyType.OnlyOrg:
+ var userOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(
+ removableOrgUsers.Select(ou => ou.UserId.Value));
+ foreach (var orgUser in removableOrgUsers)
+ {
+ if (userOrgs.Any(ou => ou.UserId == orgUser.UserId && ou.Status != OrganizationUserStatusType.Invited))
+ {
+ organization = organization ?? await _organizationRepository.GetByIdAsync(policy.OrganizationId);
+ await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
+ savingUserId);
+ await _mailService.SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(
+ organization.Name, orgUser.Email);
+ }
+ }
+ break;
+ default:
+ break;
}
}
}
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index 0ccf7740bf..86634f4cd0 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -102,5 +102,10 @@ namespace Bit.Core.Services
{
return Task.FromResult(0);
}
+
+ public Task SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(string organizationName, string email)
+ {
+ return Task.FromResult(0);
+ }
}
}
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByUserIds.sql b/src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByUserIds.sql
new file mode 100644
index 0000000000..f4acc82d88
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByUserIds.sql
@@ -0,0 +1,18 @@
+CREATE PROCEDURE [dbo].[OrganizationUser_ReadByUserIds]
+ @UserIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+ SET NOCOUNT ON
+
+ IF (SELECT COUNT(1) FROM @UserIds) < 1
+ BEGIN
+ RETURN(-1)
+ END
+
+ SELECT
+ *
+ FROM
+ [dbo].[OrganizationUserView]
+ WHERE
+ [UserId] IN (SELECT [Id] FROM @UserIds)
+END
diff --git a/util/Migrator/DbScripts/2020-10-14_00_OrgUserReadByUserIds.sql b/util/Migrator/DbScripts/2020-10-14_00_OrgUserReadByUserIds.sql
new file mode 100644
index 0000000000..ea7e2e51a7
--- /dev/null
+++ b/util/Migrator/DbScripts/2020-10-14_00_OrgUserReadByUserIds.sql
@@ -0,0 +1,25 @@
+IF OBJECT_ID('[dbo].[OrganizationUser_ReadByUserIds]') IS NOT NULL
+BEGIN
+ DROP PROCEDURE [dbo].[OrganizationUser_ReadByUserIds]
+END
+GO
+
+CREATE PROCEDURE [dbo].[OrganizationUser_ReadByUserIds]
+ @UserIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+ SET NOCOUNT ON
+
+ IF (SELECT COUNT(1) FROM @UserIds) < 1
+ BEGIN
+ RETURN(-1)
+ END
+
+ SELECT
+ *
+ FROM
+ [dbo].[OrganizationUserView]
+ WHERE
+ [UserId] IN (SELECT [Id] FROM @UserIds)
+END
+GO