Merge pull request #17090 from overleaf/jel-block-password-reset

[web] Block password reset request for managed users linked to SSO GitOrigin-RevId: 9c990d9fcb7a3286fee733e0fd61c06c09d79367
2024-11-07 20:31:06 -05:00 · 2024-03-11 07:28:16 -05:00 · 2024-03-11 07:28:16 -05:00 · b2b100d485
commit b2b100d485
parent 02d890ef18
4 changed files with 21 additions and 0 deletions
--- a/services/web/app/src/Features/PasswordReset/PasswordResetController.js
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetController.js
@ -121,6 +121,13 @@ async function requestReset(req, res, next) {
    OError.tag(err, 'failed to generate and email password reset token', {
      email,
    })
+    if (err.message === 'user does not have permission for change-password') {
+      return res.status(403).json({
+        message: {
+          key: 'no-password-allowed-due-to-sso',
+        },
+      })
+    }
    throw err
  }

--- a/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js
@ -5,6 +5,8 @@ const OneTimeTokenHandler = require('../Security/OneTimeTokenHandler')
 const EmailHandler = require('../Email/EmailHandler')
 const AuthenticationManager = require('../Authentication/AuthenticationManager')
 const { callbackify, promisify } = require('util')
+const { checkUserPermissions } =
+  require('../Authorization/PermissionsManager').promises

 const AUDIT_LOG_TOKEN_PREFIX_LENGTH = 10

@ -19,6 +21,8 @@ async function generateAndEmailResetToken(email) {
    return 'secondary'
  }

+  await checkUserPermissions(user, ['change-password'])
+
  const data = { user_id: user._id.toString(), email }
  const token = await OneTimeTokenHandler.promises.getNewToken('password', data)

--- a/services/web/app/views/user/passwordReset.pug
+++ b/services/web/app/views/user/passwordReset.pug
@ -42,6 +42,15 @@ block content
 							)
 								| #{translate(error)}

+						div(data-ol-custom-form-message="no-password-allowed-due-to-sso" hidden)
+							.notification.notification-type-error(aria-live="polite" style="margin-bottom: 10px;")
+								.notification-icon
+									span.material-symbols.material-symbols-rounded(aria-hidden="true") error
+								.notification-content-and-cta
+									.notification-content
+										p
+											| !{translate("you_cant_reset_password_due_to_sso", {}, [{name: 'a', attrs: {href: '/sso-login'}}])}
+
 						input(type="hidden", name="_csrf", value=csrfToken)
 						.form-group.mb-3
 							label(for='email') #{translate("email")}
--- a/services/web/locales/en.json
+++ b/services/web/locales/en.json
@ -2176,6 +2176,7 @@
  "you_can_opt_in_to_individual_experiments": "You will be asked to opt in and out of individual experiments; each experiment may have unique partners, requirements, terms and conditions, etc. that must be opted in to for that specific experiment",
  "you_cant_add_or_change_password_due_to_sso": "You can’t add or change your password because your group or organization uses <0>single sign-on (SSO)</0>.",
  "you_cant_join_this_group_subscription": "You can’t join this group subscription",
+  "you_cant_reset_password_due_to_sso": "You can’t reset your password because your group or organization uses SSO. <0>Log in with SSO</0>.",
  "you_dont_have_any_repositories": "You don’t have any repositories",
  "you_get_access_to": "You get access to",
  "you_get_access_to_info": "These features are available only to you (the subscriber).",