Account recovery administration not enforcing Single orginization policy to be enabled. #4855
Comments
|
I mentioned this some time ago in #4113. I'm afraid that this requirement could cause some problems for users who need access to multiple organizations if those organizations don't want to give up the account recovery option. Even though I think this requirement makes sense for Bitwarden's use case, I find it impractical for Vaultwarden. Regardless of this, the warning in the policy settings should of course be in line with reality, whether this means adjusting the functionality or the warning. |
|
Not sure how I missed your earlier post about this. I apologize for this. One concern about this setting not being enforced is if you reset User A's password, you can gain access to other organizations which that User A is also a part of. I suspect that this might be the reason for the inital setting of enforcing one organization per user with this policy. |
|
The only way i can see to fix this issue is to add another config option which will enforce this option if wanted/needed. |
BlackDex
added
enhancement
Bitwarden only allows the Reset Password policy to be set when the Single Org policy is enabled already. This PR adds a check so that this can be enforced when a config option is enabled. Since Vaultwarden encouraged to use multiple orgs when groups were not available yet we should not enable this by default now. This might be something to do in the future. When enabled, it will prevent the Reset Password policy to be enabled if the Single Org policy is not enabled. It will also prevent the Single Org policy to be disabled if the Reset Password policy is enabled. Fixes dani-garcia#4855 Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow enforcing Single Org with pw reset policy Bitwarden only allows the Reset Password policy to be set when the Single Org policy is enabled already. This PR adds a check so that this can be enforced when a config option is enabled. Since Vaultwarden encouraged to use multiple orgs when groups were not available yet we should not enable this by default now. This might be something to do in the future. When enabled, it will prevent the Reset Password policy to be enabled if the Single Org policy is not enabled. It will also prevent the Single Org policy to be disabled if the Reset Password policy is enabled. Fixes dani-garcia#4855 Signed-off-by: BlackDex <black.dex@gmail.com> * Removed some extra if checks Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
Subject of the issue
Account recovery administration is not enforcing "Single orginization" policy to be enabled. You are able to enable the "Account recovery administration" organization policy without the "Single organization" policy being enabled.
Deployment environment
Install method: Docker through tag: vaultwarden/server:1.32.0
Clients used:
Reverse proxy and version: nginx
MySQL/MariaDB or PostgreSQL version:
Other relevant details:
Steps to reproduce
Enable the Account recovery administration without the Single Organizaton policy being enabled.
Expected behaviour
Not being able to enable it.
Actual behaviour
You can enable it
Troubleshooting data
The text was updated successfully, but these errors were encountered: