[PR #6247] [MERGED] Fix around singleorg policy #3757

New issue

Closed

opened 2026-03-03 10:21:24 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 10:21:24 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6247
Author: @Timshel
Created: 8/28/2025
Status: ✅ Merged
Merged: 11/23/2025
Merged by: @dani-garcia

Base: main ← Head: fix/singleorg

📝 Commits (1)

89a5790 Fix around singleorg policy

📊 Changes

8 files changed (+63 additions, -133 deletions)

View changed files

📝 src/api/admin.rs (+3 -18)
📝 src/api/core/mod.rs (+4 -19)
📝 src/api/core/organizations.rs (+16 -59)
📝 src/db/models/mod.rs (+1 -1)
📝 src/db/models/org_policy.rs (+29 -31)
📝 src/db/models/organization.rs (+6 -1)
📝 src/static/templates/email/send_single_org_removed_from_org.hbs (+2 -2)
📝 src/static/templates/email/send_single_org_removed_from_org.html.hbs (+2 -2)

📄 Description

Should fix:

Prevent a user already in an org to join an organization with the single org policy activated
When activating the single org policy revoke the membership (as mentioned in the warning) instead of deleting.
Allow to restore an invitation

Moved all the logic back to the check_user_allowed instead of having to duplicate it from all call site, might make sense to move it out, inside a mod.rs maybe ?

Add the Admin and Invited membership test in check_user_allowed, means that all membership modification need to be done before calling the check.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6247 **Author:** [@Timshel](https://github.com/Timshel) **Created:** 8/28/2025 **Status:** ✅ Merged **Merged:** 11/23/2025 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `fix/singleorg` --- ### 📝 Commits (1) - [`89a5790`](https://github.com/dani-garcia/vaultwarden/commit/89a57903f0f23edc258a7e822459b0b7519df57f) Fix around singleorg policy ### 📊 Changes **8 files changed** (+63 additions, -133 deletions) <details> <summary>View changed files</summary> 📝 `src/api/admin.rs` (+3 -18) 📝 `src/api/core/mod.rs` (+4 -19) 📝 `src/api/core/organizations.rs` (+16 -59) 📝 `src/db/models/mod.rs` (+1 -1) 📝 `src/db/models/org_policy.rs` (+29 -31) 📝 `src/db/models/organization.rs` (+6 -1) 📝 `src/static/templates/email/send_single_org_removed_from_org.hbs` (+2 -2) 📝 `src/static/templates/email/send_single_org_removed_from_org.html.hbs` (+2 -2) </details> ### 📄 Description Should fix: - Prevent a user already in an org to join an organization with the single org policy activated - When activating the single org policy revoke the membership (as mentioned in the warning) instead of deleting. - Allow to restore an invitation Moved all the logic back to the `check_user_allowed` instead of having to duplicate it from all call site, might make sense to move it out, inside a mod.rs maybe ? Add the Admin and Invited membership test in `check_user_allowed`, means that all membership modification need to be done before calling the check. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>