on our Vaultwarden instance we have new signups disabled, but have a domain whitelist in place, so that people belonging to our organization can self-signup. This is great and works as expected!
On the other hand sometimes it is necessary for admins to invite new users with an e-mail address not on that whitelist, and where it is not feasible to add it to the whitelist, e.g. gmail.com.
So in summary: Currently the SIGNUPS_DOMAINS_WHITELIST also blocks outgoing invites when the email address is not on that whitelist. I would argue to change this behavior so that Invites always go through no matter the domain restrictions for self-signup.
That kind beats the purpose of setting what you are suggesting there. Because it would also open-up anyone with manager access or above to invite anyone.
If you really need to invite someone outside of the currently allowed whitelist i suggest to invite them via the /admin interface first, let them create an account and after that you can invite them into the organization. That way it will not check the whitelist.
But what if that is exactly what I want? I don’t want everyone to be able to register (except for users from the allowed domains) but I still want my friends and family to be able to invite someone else using other domains?
If I understand correctly the only way to achieve this use case is by instead of whitelisting the domain I’d need to make registration invite only (i.e. SIGNUPS_ALLOWED=false, INVITATIONS_ALLOWED=true) and invite all my domain users manually?
Yes, that’s what you would have to do. Vaultwarden already has quite a lot of options, perhaps too many, and I don’t think it’s worth it to add another one to support what seems to be a pretty niche use case.