diff --git a/packages/cli/src/controllers/users.controller.ts b/packages/cli/src/controllers/users.controller.ts index ddb8a5c6cceea..bb094f9ef1841 100644 --- a/packages/cli/src/controllers/users.controller.ts +++ b/packages/cli/src/controllers/users.controller.ts @@ -13,7 +13,6 @@ import { getInstanceBaseUrl, hashPassword, isEmailSetUp, - isUserManagementEnabled, sanitizeUser, validatePassword, withFeatureFlags, @@ -35,6 +34,8 @@ import type { import type { ActiveWorkflowRunner } from '@/ActiveWorkflowRunner'; import { AuthIdentity } from '@db/entities/AuthIdentity'; import type { PostHogClient } from '@/posthog'; +import { userManagementEnabledMiddleware } from '../middlewares/userManagementEnabled'; +import { isSamlLicensedAndEnabled } from '../sso/saml/samlHelpers'; @RestController('/users') export class UsersController { @@ -98,14 +99,15 @@ export class UsersController { /** * Send email invite(s) to one or multiple users and create user shell(s). */ - @Post('/') + @Post('/', { middlewares: [userManagementEnabledMiddleware] }) async sendEmailInvites(req: UserRequest.Invite) { - // TODO: this should be checked in the middleware rather than here - if (!isUserManagementEnabled()) { + if (isSamlLicensedAndEnabled()) { this.logger.debug( - 'Request to send email invite(s) to user(s) failed because user management is disabled', + 'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites', + ); + throw new BadRequestError( + 'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites', ); - throw new BadRequestError('User management is disabled'); } if (!this.config.getEnv('userManagement.isInstanceOwnerSetUp')) { diff --git a/packages/cli/src/middlewares/userManagementEnabled.ts b/packages/cli/src/middlewares/userManagementEnabled.ts new file mode 100644 index 0000000000000..c1f3c58c6f35d --- /dev/null +++ b/packages/cli/src/middlewares/userManagementEnabled.ts @@ -0,0 +1,12 @@ +import type { RequestHandler } from 'express'; +import { LoggerProxy } from 'n8n-workflow'; +import { isUserManagementEnabled } from '../UserManagement/UserManagementHelper'; + +export const userManagementEnabledMiddleware: RequestHandler = (req, res, next) => { + if (isUserManagementEnabled()) { + next(); + } else { + LoggerProxy.debug('Request failed because user management is disabled'); + res.status(400).json({ status: 'error', message: 'User management is disabled' }); + } +}; diff --git a/packages/cli/src/sso/saml/saml.service.ee.ts b/packages/cli/src/sso/saml/saml.service.ee.ts index 69c4db0bdb2ee..1bf8e36b9ffc2 100644 --- a/packages/cli/src/sso/saml/saml.service.ee.ts +++ b/packages/cli/src/sso/saml/saml.service.ee.ts @@ -210,7 +210,7 @@ export class SamlService { } this._samlPreferences.metadata = prefs.metadata; } - setSamlLoginEnabled(prefs.loginEnabled ?? isSamlLoginEnabled()); + await setSamlLoginEnabled(prefs.loginEnabled ?? isSamlLoginEnabled()); setSamlLoginLabel(prefs.loginLabel ?? getSamlLoginLabel()); this.getIdentityProviderInstance(true); const result = await this.saveSamlPreferencesToDb(); diff --git a/packages/cli/src/sso/saml/samlHelpers.ts b/packages/cli/src/sso/saml/samlHelpers.ts index ed2e4f3746712..ffa6132f1f40a 100644 --- a/packages/cli/src/sso/saml/samlHelpers.ts +++ b/packages/cli/src/sso/saml/samlHelpers.ts @@ -28,15 +28,15 @@ export function getSamlLoginLabel(): string { } // can only toggle between email and saml, not directly to e.g. ldap -export function setSamlLoginEnabled(enabled: boolean): void { +export async function setSamlLoginEnabled(enabled: boolean): Promise { if (enabled) { if (isEmailCurrentAuthenticationMethod()) { config.set(SAML_LOGIN_ENABLED, true); - setCurrentAuthenticationMethod('saml'); + await setCurrentAuthenticationMethod('saml'); } } else { config.set(SAML_LOGIN_ENABLED, false); - setCurrentAuthenticationMethod('email'); + await setCurrentAuthenticationMethod('email'); } } diff --git a/packages/cli/src/sso/ssoHelpers.ts b/packages/cli/src/sso/ssoHelpers.ts index bf87952818c01..dcd5c1ac3e3a9 100644 --- a/packages/cli/src/sso/ssoHelpers.ts +++ b/packages/cli/src/sso/ssoHelpers.ts @@ -1,4 +1,5 @@ import config from '@/config'; +import * as Db from '@/Db'; import type { AuthProviderType } from '@/databases/entities/AuthIdentity'; export function isSamlCurrentAuthenticationMethod(): boolean { @@ -17,6 +18,12 @@ export function doRedirectUsersFromLoginToSsoFlow(): boolean { return config.getEnv('sso.redirectLoginToSso'); } -export function setCurrentAuthenticationMethod(authenticationMethod: AuthProviderType): void { +export async function setCurrentAuthenticationMethod( + authenticationMethod: AuthProviderType, +): Promise { config.set('userManagement.authenticationMethod', authenticationMethod); + await Db.collections.Settings.save({ + key: 'userManagement.authenticationMethod', + value: authenticationMethod, + }); }