feat(core): Limit user changes when saml is enabled (#5577)

* consolidate SSO settings * update saml settings * fix type error * limit user changes when saml is enabled * add test
2025-12-16 17:46:45 +00:00 · 2023-03-03 10:05:30 +01:00
parent a91b631411
commit b5179597f3
5 changed files with 116 additions and 3 deletions
--- a/packages/cli/src/controllers/me.controller.ts
+++ b/packages/cli/src/controllers/me.controller.ts
@@ -22,6 +22,7 @@ import type {
 	IInternalHooksClass,
 } from '@/Interfaces';
 import { randomBytes } from 'crypto';
+import { isSamlLicensedAndEnabled } from '../sso/saml/samlHelpers';

@RestController('/me')
 export class MeController {
@@ -77,6 +78,20 @@ export class MeController {

 		await validateEntity(payload);

+		// If SAML is enabled, we don't allow the user to change their email address
+		if (isSamlLicensedAndEnabled()) {
+			if (email !== currentEmail) {
+				this.logger.debug(
+					'Request to update user failed because SAML user may not change their email',
+					{
+						userId,
+						payload,
+					},
+				);
+				throw new BadRequestError('SAML user may not change their email');
+			}
+		}
+
 		await this.userRepository.update(userId, payload);
 		const user = await this.userRepository.findOneOrFail({
 			where: { id: userId },
@@ -105,6 +120,16 @@ export class MeController {
 	async updatePassword(req: MeRequest.Password, res: Response) {
 		const { currentPassword, newPassword } = req.body;

+		// If SAML is enabled, we don't allow the user to change their email address
+		if (isSamlLicensedAndEnabled()) {
+			this.logger.debug('Attempted to change password for user, while SAML is enabled', {
+				userId: req.user?.id,
+			});
+			throw new BadRequestError(
+				'With SAML enabled, users need to use their SAML provider to change passwords',
+			);
+		}
+
 		if (typeof currentPassword !== 'string' || typeof newPassword !== 'string') {
 			throw new BadRequestError('Invalid payload.');
 		}