Disallow user group creation when server has OIDC auth with group sync enabled.

This commit is contained in:
Ylian Saint-Hilaire 2023-09-24 20:51:45 -07:00
parent 1e93057c52
commit dd279d3ea2
1 changed files with 8 additions and 1 deletions

View File

@ -1491,7 +1491,14 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
var ugrpdomain, err = null; var ugrpdomain, err = null;
try { try {
// Check if we are in a mode that does not allow manual user group creation // Check if we are in a mode that does not allow manual user group creation
if (domain.auth == 'ldap') { err = "Not allowed in LDAP mode"; } if (
(typeof domain.authstrategies == 'object') &&
(typeof domain.authstrategies['oidc'] == 'object') &&
(typeof domain.authstrategies['oidc'].groups == 'object') &&
((domain.authstrategies['oidc'].groups.sync == true) || ((typeof domain.authstrategies['oidc'].groups.sync == 'object') && (domain.authstrategies['oidc'].groups.sync.enabled == true)))
) {
err = "Not allowed in OIDC mode with user group sync.";
}
// Check if we have new group restriction // Check if we have new group restriction
if ((user.siteadmin & SITERIGHT_USERGROUPS) == 0) { err = "Permission denied"; } if ((user.siteadmin & SITERIGHT_USERGROUPS) == 0) { err = "Permission denied"; }