feat(core): Prevent non owners password reset when saml is enabled (#5788)

* prevent non owners from pw reset when saml is enabled

* improve tests

* change error type

packages/cli/src/controllers/passwordReset.controller.ts

@@ -7,6 +7,7 @@ import {
 	BadRequestError,
 	InternalServerError,
 	NotFoundError,
+	UnauthorizedError,
 	UnprocessableRequestError,
 } from '@/ResponseHelper';
 import {
@@ -24,6 +25,7 @@ import { PasswordResetRequest } from '@/requests';
 import type { IDatabaseCollections, IExternalHooksClass, IInternalHooksClass } from '@/Interfaces';
 import { issueCookie } from '@/auth/jwt';
 import { isLdapEnabled } from '@/Ldap/helpers';
+import { isSamlCurrentAuthenticationMethod } from '../sso/ssoHelpers';
 
 @RestController()
 export class PasswordResetController {
@@ -100,9 +102,18 @@ export class PasswordResetController {
 				email,
 				password: Not(IsNull()),
 			},
-			relations: ['authIdentities'],
+			relations: ['authIdentities', 'globalRole'],
 		});
 
+		if (isSamlCurrentAuthenticationMethod() && user?.globalRole.name !== 'owner') {
+			this.logger.debug(
+				'Request to send password reset email failed because login is handled by SAML',
+			);
+			throw new UnauthorizedError(
+				'Login is handled by SAML. Please contact your Identity Provider to reset your password.',
+			);
+		}
+
 		const ldapIdentity = user?.authIdentities?.find((i) => i.providerType === 'ldap');
 
 		if (!user?.password || (ldapIdentity && user.disabled)) {