Merge pull request #17060 from overleaf/jel-password-linked-group-sso

[web] Prevent updating password for managed users linked to group SSO

GitOrigin-RevId: f40bba47575cfac1b1e42d3138112c0db4f7865c

services/web/app/src/router.js

@@ -290,6 +290,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
     '/user/password/update',
     AuthenticationController.requireLogin(),
     RateLimiterMiddleware.rateLimit(rateLimiters.changePassword),
+    PermissionsController.requirePermission('change-password'),
     UserController.changePassword
   )
   webRouter.get(

services/web/frontend/extracted-translations.json

@@ -1536,6 +1536,7 @@
   "you_are_on_x_plan_as_member_of_group_subscription_y_administered_by_z": "",
   "you_can_now_enable_sso": "",
   "you_can_now_log_in_sso": "",
+  "you_cant_add_or_change_password_due_to_sso": "",
   "you_dont_have_any_repositories": "",
   "you_have_added_x_of_group_size_y": "",
   "you_have_been_invited_to_transfer_management_of_your_account": "",

services/web/frontend/js/features/settings/components/password-section.tsx

@@ -25,15 +25,33 @@ type PasswordUpdateResult = {
 
 function PasswordSection() {
   const { t } = useTranslation()
-
+  const hideChangePassword = getMeta('ol-cannot-change-password') as boolean
   return (
     <>
       <h3>{t('change_password')}</h3>
-      <PasswordInnerSection />
+      {hideChangePassword ? (
+        <CanOnlyLogInThroughSSO />
+      ) : (
+        <PasswordInnerSection />
+      )}
     </>
   )
 }
 
+function CanOnlyLogInThroughSSO() {
+  return (
+    <p>
+      <Trans
+        i18nKey="you_cant_add_or_change_password_due_to_sso"
+        components={[
+          // eslint-disable-next-line react/jsx-key, jsx-a11y/anchor-has-content
+          <a href="/learn/how-to/Logging_in_with_Group_single_sign-on" />,
+        ]}
+      />
+    </p>
+  )
+}
+
 function PasswordInnerSection() {
   const { t } = useTranslation()
   const { isOverleaf } = getMeta('ol-ExposedSettings') as ExposedSettings

services/web/locales/en.json

@@ -2205,6 +2205,7 @@
   "you_can_opt_in_and_out_of_overleaf_labs_at_any_time_on_this_page": "You can <0>opt in and out</0> of Overleaf Labs at any time on this page",
   "you_can_opt_in_and_out_of_the_program_at_any_time_on_this_page": "You can <0>opt in and out</0> of the program at any time on this page",
   "you_can_opt_in_to_individual_experiments": "You will be asked to opt in and out of individual experiments; each experiment may have unique partners, requirements, terms and conditions, etc. that must be opted in to for that specific experiment",
+  "you_cant_add_or_change_password_due_to_sso": "You can’t add or change your password because your group or organization uses <0>single sign-on (SSO)</0>.",
   "you_cant_join_this_group_subscription": "You can’t join this group subscription",
   "you_dont_have_any_repositories": "You don’t have any repositories",
   "you_get_access_to": "You get access to",

services/web/test/frontend/features/settings/components/password-section.test.tsx

@@ -183,6 +183,17 @@ describe('<PasswordSection />', function () {
 
     await screen.findByText('Your old password is wrong')
   })
+
+  it('shows message when user cannot use password log in', async function () {
+    window.metaAttributesCache.set('ol-cannot-change-password', true)
+    render(<PasswordSection />)
+    await screen.findByRole('heading', { name: 'Change Password' })
+    screen.getByText(
+      'You can’t add or change your password because your group or organization uses',
+      { exact: false }
+    )
+    screen.getByRole('link', { name: 'single sign-on (SSO)' })
+  })
 })
 
 function submitValidForm() {