Merge pull request #6994 from FlowFuse/error-sso-role-change

Show error if user roles are managed by SSO

Author: knolleary

forge/db/views/User.js

@@ -83,7 +83,8 @@ module.exports = function (app) {
             allOf: [{ $ref: 'UserSummary' }],
             properties: {
                 role: { type: 'number' },
-                permissions: { $ref: 'TeamMemberPermissions' }
+                permissions: { $ref: 'TeamMemberPermissions' },
+                ssoManaged: { type: 'boolean' }
             }
         }
     })
@@ -97,6 +98,14 @@ module.exports = function (app) {
         return result
     }
 
+    async function ssoManaged (users, team) {
+        const list = {}
+        for (const u of users) {
+            list[u.hashid] = await app.sso.isUserMembershipManaged(u, team)
+        }
+        return list
+    }
+
     app.addSchema({
         $id: 'UserList',
         type: 'array',
@@ -108,6 +117,7 @@ module.exports = function (app) {
     return {
         userSummary,
         userProfile,
-        teamMemberList
+        teamMemberList,
+        ssoManaged
     }
 }

forge/routes/api/teamMembers.js

@@ -31,7 +31,7 @@ module.exports = async function (app) {
                     const noPermissions = request.body?.permissions === undefined
                     if (await app.sso.isUserMembershipManaged(request.user, request.team) && noPermissions) {
                         // The user's membership for this team is sso managed - do not allow api changes to be applied
-                        reply.code(400).send({ code: 'invalid_request', error: 'Cannot modify team membershipt for an SSO managed user' })
+                        reply.code(400).send({ code: 'invalid_request', error: 'Cannot modify team membership for an SSO managed user' })
                         // eslint-disable-next-line no-useless-return
                         return
                     }
@@ -70,7 +70,14 @@ module.exports = async function (app) {
         }
     }, async (request, reply) => {
         const members = await app.db.models.User.inTeam(request.params.teamId)
-        const result = app.db.views.User.teamMemberList(members)
+        let result = app.db.views.User.teamMemberList(members)
+        if (app.config.features.enabled('sso')) {
+            const sso = await app.db.views.User.ssoManaged(members, request.team)
+            result = result.map(r => {
+                r.ssoManaged = sso[r.id]
+                return r
+            })
+        }
         reply.send({
             meta: {}, // For future pagination
             count: result.length,

frontend/src/components/blueprints/BlueprintTile.vue

@@ -17,7 +17,7 @@
         <div class="ff-blueprint-tile--info">
             <label>{{ blueprint.name }}</label>
             <p v-if="blueprint.description" :title="blueprint.description">
-                <ff-markdown-viewer :content="blueprint.description"/>
+                <ff-markdown-viewer :content="blueprint.description" />
             </p>
         </div>
         <div class="ff-blueprint-tile--actions justify-between">

frontend/src/pages/team/Members/General.vue

@@ -19,17 +19,21 @@
             </template>
             <template v-if="canEditUser" #context-menu="{row}">
                 <ff-kebab-item
-                    v-if="(hasPermission('team:user:change-role') && !requiresBilling) || isAdminUser"
+                    v-if="((hasPermission('team:user:change-role') && !requiresBilling) || isAdminUser) && !ssoManaged({row})"
                     data-action="member-change-role"
                     label="Change Role" @click="changeRoleDialog(row)"
                 />
                 <ff-kebab-item
-                    v-if="hasPermission('team:user:remove') || isAdminUser"
+                    v-if="(hasPermission('team:user:remove') || isAdminUser) && !ssoManaged({row})"
                     data-action="member-remove-from-team"
                     label="Remove From Team"
                     kind="danger"
                     @click="removeUserDialog(row)"
                 />
+                <ff-kebab-item
+                    v-if="ssoManaged({row})"
+                    label="User role is SSO Managed"
+                />
             </template>
         </ff-data-table>
     </form>
@@ -236,6 +240,9 @@ export default {
         },
         onApplicationRoleClick ({ application, user }) {
             this.$refs.editApplicationPermissionsDialog.show(user, application)
+        },
+        ssoManaged (row) {
+            return row.row.ssoManaged
         }
     }
 }

frontend/src/pages/team/dialogs/ChangeTeamRoleDialog.vue

@@ -51,6 +51,9 @@ export default {
                     alerts.emit("User's role successfully updated", 'confirmation')
                 } catch (err) {
                     console.warn(err)
+                    if (err.response?.status === 400 && err.response?.data.error === 'Cannot modify team membership for an SSO managed user') {
+                        alerts.emit('User\'s roles are managed by SSO Groups', 'warning', 5000)
+                    }
                 }
             }
         }

test/unit/forge/ee/lib/sso/index_spec.js

@@ -399,7 +399,7 @@ d
         })
         it('ignores invalid role in group', async function () {
             // Validates that it ignores both unknown roles, but also roles that
-            // exist but are not valid for a team membershipt (ie admin)
+            // exist but are not valid for a team membership (ie admin)
 
             // Starting state:
             // Alice owner ATeam

test/unit/forge/ee/routes/sso/index_spec.js

@@ -428,7 +428,7 @@ describe('SSO managed membership', async function () {
         response.statusCode.should.equal(400)
         const result = response.json()
         result.should.have.property('code', 'invalid_request')
-        result.should.have.property('error', 'Cannot modify team membershipt for an SSO managed user')
+        result.should.have.property('error', 'Cannot modify team membership for an SSO managed user')
     })
     it('cannot modify membership for SSO managed user/team', async function () {
         // BTeam is listed as a groupTeam in the SSO config
@@ -443,7 +443,7 @@ describe('SSO managed membership', async function () {
         response.statusCode.should.equal(400)
         const result = response.json()
         result.should.have.property('code', 'invalid_request')
-        result.should.have.property('error', 'Cannot modify team membershipt for an SSO managed user')
+        result.should.have.property('error', 'Cannot modify team membership for an SSO managed user')
     })
 
     it('can delete membership for non-SSO managed user/team', async function () {
@@ -483,7 +483,7 @@ describe('SSO managed membership', async function () {
         response.statusCode.should.equal(400)
         const result = response.json()
         result.should.have.property('code', 'invalid_request')
-        result.should.have.property('error', 'Cannot modify team membershipt for an SSO managed user')
+        result.should.have.property('error', 'Cannot modify team membership for an SSO managed user')
     })
 
     it('cannot modify membership for non-SSO managed user/team when groupAllTeams selected', async function () {
@@ -504,6 +504,6 @@ describe('SSO managed membership', async function () {
         response.statusCode.should.equal(400)
         const result = response.json()
         result.should.have.property('code', 'invalid_request')
-        result.should.have.property('error', 'Cannot modify team membershipt for an SSO managed user')
+        result.should.have.property('error', 'Cannot modify team membership for an SSO managed user')
     })
 })