Disable invite & password reset route for external users

This commit is contained in:
Girish Ramakrishnan
2019-10-29 11:03:28 -07:00
parent f97cbb5fd5
commit 7a25187bee

View File

@@ -479,6 +479,7 @@ function setPassword(userId, newPassword, callback) {
if (error) return callback(error);
if (settings.isDemo() && user.username === constants.DEMO_USERNAME) return callback(new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode'));
if (user.source) return callback(new BoxError(BoxError.CONFLICT, 'User is from an external directory'));
var saltBuffer = Buffer.from(user.salt, 'hex');
crypto.pbkdf2(newPassword, saltBuffer, CRYPTO_ITERATIONS, CRYPTO_KEY_LENGTH, CRYPTO_DIGEST, function (error, derivedKey) {
@@ -535,6 +536,8 @@ function createInvite(userId, callback) {
userdb.get(userId, function (error, userObject) {
if (error) return callback(error);
if (userObject.source) return callback(new BoxError(BoxError.CONFLICT, 'User is from an external directory'));
userObject.resetToken = hat(256);
userdb.update(userId, userObject, function (error) {
@@ -553,6 +556,7 @@ function sendInvite(userId, options, callback) {
userdb.get(userId, function (error, userObject) {
if (error) return callback(error);
if (userObject.source) return callback(new BoxError(BoxError.CONFLICT, 'User is from an external directory'));
if (!userObject.resetToken) return callback(new BoxError(BoxError.CONFLICT, 'Must generate resetToken to send invitation'));
mailer.sendInvite(userObject, options.invitor || null);