feat(core): Prevent non owners password reset when saml is enabled (#5788)

* prevent non owners from pw reset when saml is enabled

* improve tests

* change error type

packages/cli/test/integration/passwordReset.api.test.ts

@@ -14,6 +14,7 @@ import {
 	randomValidPassword,
 } from './shared/random';
 import * as testDb from './shared/testDb';
+import { setCurrentAuthenticationMethod } from '@/sso/ssoHelpers';
 
 jest.mock('@/UserManagement/email/NodeMailer');
 
@@ -74,6 +75,35 @@ describe('POST /forgot-password', () => {
 		expect(storedOwner.resetPasswordToken).toBeNull();
 	});
 
+	test('should fail if SAML is authentication method', async () => {
+		await setCurrentAuthenticationMethod('saml');
+		config.set('userManagement.emails.mode', 'smtp');
+		const member = await testDb.createUser({
+			email: 'test@test.com',
+			globalRole: globalMemberRole,
+		});
+
+		await authlessAgent.post('/forgot-password').send({ email: member.email }).expect(403);
+
+		const storedOwner = await Db.collections.User.findOneByOrFail({ email: member.email });
+		expect(storedOwner.resetPasswordToken).toBeNull();
+		await setCurrentAuthenticationMethod('email');
+	});
+
+	test('should succeed if SAML is authentication method and requestor is owner', async () => {
+		await setCurrentAuthenticationMethod('saml');
+		config.set('userManagement.emails.mode', 'smtp');
+
+		const response = await authlessAgent.post('/forgot-password').send({ email: owner.email });
+
+		expect(response.statusCode).toBe(200);
+		expect(response.body).toEqual({});
+
+		const storedOwner = await Db.collections.User.findOneByOrFail({ email: owner.email });
+		expect(storedOwner.resetPasswordToken).not.toBeNull();
+		await setCurrentAuthenticationMethod('email');
+	});
+
 	test('should fail with invalid inputs', async () => {
 		config.set('userManagement.emails.mode', 'smtp');