From c4fd55efcac7f178d3449a89b04ae21b63f4836a Mon Sep 17 00:00:00 2001
From: Michael Auerswald <michael.auerswald@gmail.com>
Date: Thu, 23 Mar 2023 12:26:41 +0100
Subject: [PATCH] limit user invites when saml is enabled

---
 packages/cli/src/controllers/users.controller.ts   | 14 ++++++++------
 .../cli/src/middlewares/userManagementEnabled.ts   | 12 ++++++++++++
 2 files changed, 20 insertions(+), 6 deletions(-)
 create mode 100644 packages/cli/src/middlewares/userManagementEnabled.ts

diff --git a/packages/cli/src/controllers/users.controller.ts b/packages/cli/src/controllers/users.controller.ts
index ddb8a5c6cceea..bb094f9ef1841 100644
--- a/packages/cli/src/controllers/users.controller.ts
+++ b/packages/cli/src/controllers/users.controller.ts
@@ -13,7 +13,6 @@ import {
 	getInstanceBaseUrl,
 	hashPassword,
 	isEmailSetUp,
-	isUserManagementEnabled,
 	sanitizeUser,
 	validatePassword,
 	withFeatureFlags,
@@ -35,6 +34,8 @@ import type {
 import type { ActiveWorkflowRunner } from '@/ActiveWorkflowRunner';
 import { AuthIdentity } from '@db/entities/AuthIdentity';
 import type { PostHogClient } from '@/posthog';
+import { userManagementEnabledMiddleware } from '../middlewares/userManagementEnabled';
+import { isSamlLicensedAndEnabled } from '../sso/saml/samlHelpers';
 
 @RestController('/users')
 export class UsersController {
@@ -98,14 +99,15 @@ export class UsersController {
 	/**
 	 * Send email invite(s) to one or multiple users and create user shell(s).
 	 */
-	@Post('/')
+	@Post('/', { middlewares: [userManagementEnabledMiddleware] })
 	async sendEmailInvites(req: UserRequest.Invite) {
-		// TODO: this should be checked in the middleware rather than here
-		if (!isUserManagementEnabled()) {
+		if (isSamlLicensedAndEnabled()) {
 			this.logger.debug(
-				'Request to send email invite(s) to user(s) failed because user management is disabled',
+				'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites',
+			);
+			throw new BadRequestError(
+				'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites',
 			);
-			throw new BadRequestError('User management is disabled');
 		}
 
 		if (!this.config.getEnv('userManagement.isInstanceOwnerSetUp')) {
diff --git a/packages/cli/src/middlewares/userManagementEnabled.ts b/packages/cli/src/middlewares/userManagementEnabled.ts
new file mode 100644
index 0000000000000..c1f3c58c6f35d
--- /dev/null
+++ b/packages/cli/src/middlewares/userManagementEnabled.ts
@@ -0,0 +1,12 @@
+import type { RequestHandler } from 'express';
+import { LoggerProxy } from 'n8n-workflow';
+import { isUserManagementEnabled } from '../UserManagement/UserManagementHelper';
+
+export const userManagementEnabledMiddleware: RequestHandler = (req, res, next) => {
+	if (isUserManagementEnabled()) {
+		next();
+	} else {
+		LoggerProxy.debug('Request failed because user management is disabled');
+		res.status(400).json({ status: 'error', message: 'User management is disabled' });
+	}
+};