From 57748b71e5cd1399ccaedb9a115b821b34cf55e5 Mon Sep 17 00:00:00 2001 From: Michael Auerswald Date: Thu, 23 Mar 2023 15:12:19 +0100 Subject: [PATCH] feat(core): Limit user invites when SAML is enabled (#5761) limit user invites when saml is enabled --- packages/cli/src/controllers/users.controller.ts | 14 ++++++++------ .../cli/src/middlewares/userManagementEnabled.ts | 12 ++++++++++++ 2 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 packages/cli/src/middlewares/userManagementEnabled.ts diff --git a/packages/cli/src/controllers/users.controller.ts b/packages/cli/src/controllers/users.controller.ts index ddb8a5c6cc..bb094f9ef1 100644 --- a/packages/cli/src/controllers/users.controller.ts +++ b/packages/cli/src/controllers/users.controller.ts @@ -13,7 +13,6 @@ import { getInstanceBaseUrl, hashPassword, isEmailSetUp, - isUserManagementEnabled, sanitizeUser, validatePassword, withFeatureFlags, @@ -35,6 +34,8 @@ import type { import type { ActiveWorkflowRunner } from '@/ActiveWorkflowRunner'; import { AuthIdentity } from '@db/entities/AuthIdentity'; import type { PostHogClient } from '@/posthog'; +import { userManagementEnabledMiddleware } from '../middlewares/userManagementEnabled'; +import { isSamlLicensedAndEnabled } from '../sso/saml/samlHelpers'; @RestController('/users') export class UsersController { @@ -98,14 +99,15 @@ export class UsersController { /** * Send email invite(s) to one or multiple users and create user shell(s). */ - @Post('/') + @Post('/', { middlewares: [userManagementEnabledMiddleware] }) async sendEmailInvites(req: UserRequest.Invite) { - // TODO: this should be checked in the middleware rather than here - if (!isUserManagementEnabled()) { + if (isSamlLicensedAndEnabled()) { this.logger.debug( - 'Request to send email invite(s) to user(s) failed because user management is disabled', + 'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites', + ); + throw new BadRequestError( + 'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites', ); - throw new BadRequestError('User management is disabled'); } if (!this.config.getEnv('userManagement.isInstanceOwnerSetUp')) { diff --git a/packages/cli/src/middlewares/userManagementEnabled.ts b/packages/cli/src/middlewares/userManagementEnabled.ts new file mode 100644 index 0000000000..c1f3c58c6f --- /dev/null +++ b/packages/cli/src/middlewares/userManagementEnabled.ts @@ -0,0 +1,12 @@ +import type { RequestHandler } from 'express'; +import { LoggerProxy } from 'n8n-workflow'; +import { isUserManagementEnabled } from '../UserManagement/UserManagementHelper'; + +export const userManagementEnabledMiddleware: RequestHandler = (req, res, next) => { + if (isUserManagementEnabled()) { + next(); + } else { + LoggerProxy.debug('Request failed because user management is disabled'); + res.status(400).json({ status: 'error', message: 'User management is disabled' }); + } +};