feat(core): Limit user invites when SAML is enabled (#5761)

limit user invites when saml is enabled
This commit is contained in:
Michael Auerswald 2023-03-23 15:12:19 +01:00 committed by GitHub
parent b0cfd69f2b
commit 57748b71e5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 6 deletions

View file

@ -13,7 +13,6 @@ import {
getInstanceBaseUrl,
hashPassword,
isEmailSetUp,
isUserManagementEnabled,
sanitizeUser,
validatePassword,
withFeatureFlags,
@ -35,6 +34,8 @@ import type {
import type { ActiveWorkflowRunner } from '@/ActiveWorkflowRunner';
import { AuthIdentity } from '@db/entities/AuthIdentity';
import type { PostHogClient } from '@/posthog';
import { userManagementEnabledMiddleware } from '../middlewares/userManagementEnabled';
import { isSamlLicensedAndEnabled } from '../sso/saml/samlHelpers';
@RestController('/users')
export class UsersController {
@ -98,14 +99,15 @@ export class UsersController {
/**
* Send email invite(s) to one or multiple users and create user shell(s).
*/
@Post('/')
@Post('/', { middlewares: [userManagementEnabledMiddleware] })
async sendEmailInvites(req: UserRequest.Invite) {
// TODO: this should be checked in the middleware rather than here
if (!isUserManagementEnabled()) {
if (isSamlLicensedAndEnabled()) {
this.logger.debug(
'Request to send email invite(s) to user(s) failed because user management is disabled',
'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites',
);
throw new BadRequestError(
'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites',
);
throw new BadRequestError('User management is disabled');
}
if (!this.config.getEnv('userManagement.isInstanceOwnerSetUp')) {

View file

@ -0,0 +1,12 @@
import type { RequestHandler } from 'express';
import { LoggerProxy } from 'n8n-workflow';
import { isUserManagementEnabled } from '../UserManagement/UserManagementHelper';
export const userManagementEnabledMiddleware: RequestHandler = (req, res, next) => {
if (isUserManagementEnabled()) {
next();
} else {
LoggerProxy.debug('Request failed because user management is disabled');
res.status(400).json({ status: 'error', message: 'User management is disabled' });
}
};