diff --git a/server/db/queries/verifySessionQueries.ts b/server/db/queries/verifySessionQueries.ts index c1122f04c..145b0c5e1 100644 --- a/server/db/queries/verifySessionQueries.ts +++ b/server/db/queries/verifySessionQueries.ts @@ -47,6 +47,7 @@ export type ResourceWithAuth = { headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null; applyRules: boolean; sso: boolean; + emailWhitelistEnabled: boolean; org: Org; }; @@ -222,12 +223,16 @@ export async function getResourceByDomain( const effectiveApplyRules = selectedPolicy?.applyRules ?? result.resources.applyRules; const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso; + const effectiveEmailWhitelistEnabled = + selectedPolicy?.emailWhitelistEnabled ?? + result.resources.emailWhitelistEnabled; return { resource: { ...result.resources, applyRules: effectiveApplyRules, - sso: effectiveSSO + sso: effectiveSSO, + emailWhitelistEnabled: effectiveEmailWhitelistEnabled }, // doing this for backward compatability so the remote nodes get the value as part of the resource struct pincode: effectivePolicyPincode ?? result.resourcePincode, password: effectivePolicyPassword ?? result.resourcePassword, @@ -242,6 +247,7 @@ export async function getResourceByDomain( : result.resourceHeaderAuthExtendedCompatibility, applyRules: effectiveApplyRules, sso: effectiveSSO, + emailWhitelistEnabled: effectiveEmailWhitelistEnabled, org: result.orgs }; } diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts index eecf5063a..0ed75d8d2 100644 --- a/server/private/routers/hybrid.ts +++ b/server/private/routers/hybrid.ts @@ -216,6 +216,9 @@ export type ResourceWithAuth = { password: ResourcePassword | ResourcePolicyPassword | null; headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null; headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null; + applyRules: boolean; + sso: boolean; + emailWhitelistEnabled: boolean; org: Org; }; @@ -687,12 +690,16 @@ hybridRouter.get( const effectiveApplyRules = selectedPolicy?.applyRules ?? result.resources.applyRules; const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso; + const effectiveEmailWhitelistEnabled = + selectedPolicy?.emailWhitelistEnabled ?? + result.resources.emailWhitelistEnabled; const resourceWithAuth: ResourceWithAuth = { resource: { ...result.resources, applyRules: effectiveApplyRules, - sso: effectiveSSO + sso: effectiveSSO, + emailWhitelistEnabled: effectiveEmailWhitelistEnabled }, pincode: effectivePolicyPincode ?? result.resourcePincode, password: effectivePolicyPassword ?? result.resourcePassword, @@ -706,6 +713,9 @@ hybridRouter.get( effectivePolicyHeaderAuth.extendedCompatibility } as ResourceHeaderAuthExtendedCompatibility) : result.resourceHeaderAuthExtendedCompatibility, + applyRules: effectiveApplyRules, + sso: effectiveSSO, + emailWhitelistEnabled: effectiveEmailWhitelistEnabled, org: result.orgs }; diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts index e7a358c27..1735ed558 100644 --- a/server/routers/badger/verifySession.ts +++ b/server/routers/badger/verifySession.ts @@ -146,6 +146,7 @@ export async function verifyResourceSession( headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null; applyRules: boolean; sso: boolean; + emailWhitelistEnabled: boolean; org: Org; } | undefined = localCache.get(resourceCacheKey); @@ -182,6 +183,7 @@ export async function verifyResourceSession( pincode, password, headerAuth, + emailWhitelistEnabled, headerAuthExtendedCompatibility } = resourceData; @@ -279,7 +281,7 @@ export async function verifyResourceSession( !sso && !pincode && !password && - !resource.emailWhitelistEnabled && + !emailWhitelistEnabled && !headerAuth ) { logger.debug("Resource allowed because no auth"); @@ -464,7 +466,7 @@ export async function verifyResourceSession( !sso && !pincode && !password && - !resource.emailWhitelistEnabled && + !emailWhitelistEnabled && !headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated ) { logRequestAudit( @@ -486,7 +488,7 @@ export async function verifyResourceSession( !sso && !pincode && !password && - !resource.emailWhitelistEnabled && + !emailWhitelistEnabled && !headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated ) { logRequestAudit( @@ -634,7 +636,7 @@ export async function verifyResourceSession( } if ( - resource.emailWhitelistEnabled && + emailWhitelistEnabled && (resourceSession.whitelistId || resourceSession.policyWhitelistId) ) { diff --git a/server/routers/resource/getUserResources.ts b/server/routers/resource/getUserResources.ts index 114432a73..197699a68 100644 --- a/server/routers/resource/getUserResources.ts +++ b/server/routers/resource/getUserResources.ts @@ -80,14 +80,32 @@ export async function getUserResources( const directResourcesQuery = db .select({ resourceId: userResources.resourceId }) .from(userResources) - .where(eq(userResources.userId, userId)); + .innerJoin( + resources, + eq(userResources.resourceId, resources.resourceId) + ) + .where( + and( + eq(userResources.userId, userId), + eq(resources.orgId, orgId) + ) + ); const roleResourcesQuery = userRoleIds.length > 0 ? db .select({ resourceId: roleResources.resourceId }) .from(roleResources) - .where(inArray(roleResources.roleId, userRoleIds)) + .innerJoin( + resources, + eq(roleResources.resourceId, resources.resourceId) + ) + .where( + and( + inArray(roleResources.roleId, userRoleIds), + eq(resources.orgId, orgId) + ) + ) : Promise.resolve([]); const directPolicyResourcesQuery = db @@ -97,7 +115,9 @@ export async function getUserResources( userPolicies, eq(effectiveResourcePolicyId, userPolicies.resourcePolicyId) ) - .where(eq(userPolicies.userId, userId)); + .where( + and(eq(userPolicies.userId, userId), eq(resources.orgId, orgId)) + ); const rolePolicyResourcesQuery = userRoleIds.length > 0 @@ -111,7 +131,12 @@ export async function getUserResources( rolePolicies.resourcePolicyId ) ) - .where(inArray(rolePolicies.roleId, userRoleIds)) + .where( + and( + inArray(rolePolicies.roleId, userRoleIds), + eq(resources.orgId, orgId) + ) + ) : Promise.resolve([]); const directSiteResourcesQuery = db