[MM-56491] Allow sysadmins to LDAP sync SAML users when SamlSettings.EnableSyncWithLdap is true (#25886)

Co-authored-by: Mattermost Build <build@mattermost.com>
2025-02-25 18:55:24 -06:00 · 2024-03-15 09:40:05 -04:00 · 2024-03-15 09:40:05 -04:00 · b14213d329
commit b14213d329
parent 7c0a3b0297
3 changed files with 32 additions and 7 deletions
--- a/server/channels/api4/ldap.go
+++ b/server/channels/api4/ldap.go
@ -433,7 +433,7 @@ func addUserToGroupSyncables(c *Context, w http.ResponseWriter, r *http.Request)
 		return
 	}

-	if user.AuthService != model.UserAuthServiceLdap {
+	if user.AuthService != model.UserAuthServiceLdap && (user.AuthService != model.UserAuthServiceSaml || !*c.App.Config().SamlSettings.EnableSyncWithLdap) {
 		c.Err = model.NewAppError("addUserToGroupSyncables", "api.user.add_user_to_group_syncables.not_ldap_user.app_error", nil, "", http.StatusBadRequest)
 		return
 	}
--- a/server/channels/api4/ldap_test.go
+++ b/server/channels/api4/ldap_test.go
@ -309,4 +309,28 @@ func TestAddUserToGroupSyncables(t *testing.T) {
 	resp, err = th.SystemAdminClient.AddUserToGroupSyncables(context.Background(), user.Id)
 	require.NoError(t, err)
 	CheckOKStatus(t, resp)
+
+	t.Run("should sync SAML users when SamlSettings.EnableSyncWithLdap is true", func(t *testing.T) {
+		id = model.NewId()
+		user = &model.User{
+			Email:       "test123@localhost",
+			Username:    model.NewId(),
+			AuthData:    &id,
+			AuthService: model.UserAuthServiceSaml,
+		}
+		user, err = th.App.Srv().Store().User().Save(th.Context, user)
+		require.NoError(t, err)
+
+		resp, err = th.Client.AddUserToGroupSyncables(context.Background(), user.Id)
+		require.Error(t, err)
+		CheckForbiddenStatus(t, resp)
+
+		th.App.UpdateConfig(func(cfg *model.Config) {
+			*cfg.SamlSettings.EnableSyncWithLdap = true
+		})
+
+		resp, err = th.SystemAdminClient.AddUserToGroupSyncables(context.Background(), user.Id)
+		require.NoError(t, err)
+		CheckOKStatus(t, resp)
+	})
 }
--- a/webapp/channels/src/components/admin_console/system_users/system_users_list_actions/index.tsx
+++ b/webapp/channels/src/components/admin_console/system_users/system_users_list_actions/index.tsx
@ -12,7 +12,8 @@ import type {UserProfile} from '@mattermost/types/users';
 import {updateUserActive} from 'mattermost-redux/actions/users';
 import {Permissions} from 'mattermost-redux/constants';
 import General from 'mattermost-redux/constants/general';
-import {getConfig, getLicense} from 'mattermost-redux/selectors/entities/general';
+import {getConfig} from 'mattermost-redux/selectors/entities/admin';
+import {getLicense} from 'mattermost-redux/selectors/entities/general';
 import {isSystemAdmin, isGuest} from 'mattermost-redux/utils/user_utils';

 import {adminResetMfa} from 'actions/admin_actions';
@ -208,7 +209,7 @@ export function SystemUsersListAction({user, currentUser, tableId, rowIndex, onE
                }}
            />

-            {config.EnableUserAccessTokens === 'true' &&
+            {config.ServiceSettings?.EnableUserAccessTokens &&
            <Menu.Item
                id={`${menuItemIdPrefix}-manageTokens`}
                labels={
@ -244,7 +245,7 @@ export function SystemUsersListAction({user, currentUser, tableId, rowIndex, onE
                }}
            />}

-            {user.mfa_active && config.EnableMultifactorAuthentication &&
+            {user.mfa_active && config.ServiceSettings?.EnableMultifactorAuthentication &&
            <Menu.Item
                id={`${menuItemIdPrefix}-removeMFA`}
                labels={
@ -260,7 +261,7 @@ export function SystemUsersListAction({user, currentUser, tableId, rowIndex, onE
                }}
            />}

-            {Boolean(user.auth_service) && config.ExperimentalEnableAuthenticationTransfer === 'true' &&
+            {Boolean(user.auth_service) && config.ServiceSettings?.ExperimentalEnableAuthenticationTransfer &&
            <Menu.Item
                id={`${menuItemIdPrefix}-switchToEmailPassword`}
                labels={
@ -323,7 +324,7 @@ export function SystemUsersListAction({user, currentUser, tableId, rowIndex, onE
                    }));
                }}
            />}
-            {!isGuest(user.roles) && user.id !== currentUser.id && isLicensed && config.EnableGuestAccounts === 'true' &&
+            {!isGuest(user.roles) && user.id !== currentUser.id && isLicensed && config.GuestAccountsSettings?.Enable &&
            <Menu.Item
                id={`${menuItemIdPrefix}-demoteToGuest`}
                labels={
@ -364,7 +365,7 @@ export function SystemUsersListAction({user, currentUser, tableId, rowIndex, onE
                />}
            </SystemPermissionGate>
            <SystemPermissionGate permissions={[Permissions.SYSCONSOLE_WRITE_USERMANAGEMENT_GROUPS]}>
-                {user.auth_service === Constants.LDAP_SERVICE &&
+                {(user.auth_service === Constants.LDAP_SERVICE || (user.auth_service === Constants.SAML_SERVICE && config.SamlSettings?.EnableSyncWithLdap)) &&
                <Menu.Item
                    id={`${menuItemIdPrefix}-resyncUserViaLdapGroups`}
                    labels={