From b2b100d485dcb404124f44a6d26c50c81924baf4 Mon Sep 17 00:00:00 2001 From: Jessica Lawshe <5312836+lawshe@users.noreply.github.com> Date: Mon, 11 Mar 2024 07:28:16 -0500 Subject: [PATCH] Merge pull request #17090 from overleaf/jel-block-password-reset [web] Block password reset request for managed users linked to SSO GitOrigin-RevId: 9c990d9fcb7a3286fee733e0fd61c06c09d79367 --- .../Features/PasswordReset/PasswordResetController.js | 7 +++++++ .../src/Features/PasswordReset/PasswordResetHandler.js | 4 ++++ services/web/app/views/user/passwordReset.pug | 9 +++++++++ services/web/locales/en.json | 1 + 4 files changed, 21 insertions(+) diff --git a/services/web/app/src/Features/PasswordReset/PasswordResetController.js b/services/web/app/src/Features/PasswordReset/PasswordResetController.js index e1969f58c3..0b477926b4 100644 --- a/services/web/app/src/Features/PasswordReset/PasswordResetController.js +++ b/services/web/app/src/Features/PasswordReset/PasswordResetController.js @@ -121,6 +121,13 @@ async function requestReset(req, res, next) { OError.tag(err, 'failed to generate and email password reset token', { email, }) + if (err.message === 'user does not have permission for change-password') { + return res.status(403).json({ + message: { + key: 'no-password-allowed-due-to-sso', + }, + }) + } throw err } diff --git a/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js b/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js index aaf378b53b..a532704752 100644 --- a/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js +++ b/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js @@ -5,6 +5,8 @@ const OneTimeTokenHandler = require('../Security/OneTimeTokenHandler') const EmailHandler = require('../Email/EmailHandler') const AuthenticationManager = require('../Authentication/AuthenticationManager') const { callbackify, promisify } = require('util') +const { checkUserPermissions } = + require('../Authorization/PermissionsManager').promises const AUDIT_LOG_TOKEN_PREFIX_LENGTH = 10 @@ -19,6 +21,8 @@ async function generateAndEmailResetToken(email) { return 'secondary' } + await checkUserPermissions(user, ['change-password']) + const data = { user_id: user._id.toString(), email } const token = await OneTimeTokenHandler.promises.getNewToken('password', data) diff --git a/services/web/app/views/user/passwordReset.pug b/services/web/app/views/user/passwordReset.pug index 527c5f2685..aed7a54513 100644 --- a/services/web/app/views/user/passwordReset.pug +++ b/services/web/app/views/user/passwordReset.pug @@ -42,6 +42,15 @@ block content ) | #{translate(error)} + div(data-ol-custom-form-message="no-password-allowed-due-to-sso" hidden) + .notification.notification-type-error(aria-live="polite" style="margin-bottom: 10px;") + .notification-icon + span.material-symbols.material-symbols-rounded(aria-hidden="true") error + .notification-content-and-cta + .notification-content + p + | !{translate("you_cant_reset_password_due_to_sso", {}, [{name: 'a', attrs: {href: '/sso-login'}}])} + input(type="hidden", name="_csrf", value=csrfToken) .form-group.mb-3 label(for='email') #{translate("email")} diff --git a/services/web/locales/en.json b/services/web/locales/en.json index 16f4d1cef6..bff90bf094 100644 --- a/services/web/locales/en.json +++ b/services/web/locales/en.json @@ -2176,6 +2176,7 @@ "you_can_opt_in_to_individual_experiments": "You will be asked to opt in and out of individual experiments; each experiment may have unique partners, requirements, terms and conditions, etc. that must be opted in to for that specific experiment", "you_cant_add_or_change_password_due_to_sso": "You can’t add or change your password because your group or organization uses <0>single sign-on (SSO).", "you_cant_join_this_group_subscription": "You can’t join this group subscription", + "you_cant_reset_password_due_to_sso": "You can’t reset your password because your group or organization uses SSO. <0>Log in with SSO.", "you_dont_have_any_repositories": "You don’t have any repositories", "you_get_access_to": "You get access to", "you_get_access_to_info": "These features are available only to you (the subscriber).",