diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
index 154c5e87a..d6c054963 100644
--- a/CHANGELOG.unreleased.md
+++ b/CHANGELOG.unreleased.md
@@ -7,6 +7,8 @@
> Users must be able to say: “Nice enhancement, I'm eager to test it”
+- [LDAP] Prevent LDAP-provided groups from being edited from XO [#1884](https://github.com/vatesfr/xen-orchestra/issues/1884) (PR [#5351](https://github.com/vatesfr/xen-orchestra/pull/5351))
+
### Bug fixes
> Users must be able to say: “I had this issue, happy to know it's fixed”
@@ -27,3 +29,6 @@
> - major: if the change breaks compatibility
>
> In case of conflict, the highest (lowest in previous list) `$version` wins.
+
+- xo-server minor
+- xo-web minor
diff --git a/packages/xo-server/src/api/group.js b/packages/xo-server/src/api/group.js
index 0d0d6ff6f..597e8783e 100644
--- a/packages/xo-server/src/api/group.js
+++ b/packages/xo-server/src/api/group.js
@@ -1,3 +1,5 @@
+import { forbiddenOperation } from 'xo-common/api-errors'
+
export async function create({ name }) {
return (await this.createGroup({ name })).id
}
@@ -51,6 +53,13 @@ setUsers.params = {
// adds the user id to group.users
export async function addUser({ id, userId }) {
+ const group = await this.getGroup(id)
+ if (group.provider !== undefined) {
+ throw forbiddenOperation(
+ 'add user',
+ 'cannot add user to synchronized group'
+ )
+ }
await this.addUserToGroup(userId, id)
}
@@ -65,6 +74,13 @@ addUser.params = {
// remove the user id from group.users
export async function removeUser({ id, userId }) {
+ const group = await this.getGroup(id)
+ if (group.provider !== undefined) {
+ throw forbiddenOperation(
+ 'remove user',
+ 'cannot remove user from synchronized group'
+ )
+ }
await this.removeUserFromGroup(userId, id)
}
@@ -80,6 +96,15 @@ removeUser.params = {
// -------------------------------------------------------------------
export async function set({ id, name }) {
+ if (name !== undefined) {
+ const group = await this.getGroup(id)
+ if (group.provider !== undefined) {
+ throw forbiddenOperation(
+ 'set group name',
+ 'cannot edit synchronized group'
+ )
+ }
+ }
await this.updateGroup(id, { name })
}
diff --git a/packages/xo-server/src/xo-mixins/subjects.js b/packages/xo-server/src/xo-mixins/subjects.js
index 46ecbf999..8fe33ff0a 100644
--- a/packages/xo-server/src/xo-mixins/subjects.js
+++ b/packages/xo-server/src/xo-mixins/subjects.js
@@ -304,7 +304,9 @@ export default class {
[providerId]: {
id,
data:
- data !== undefined ? data : user.authProviders?.[providerId]?.data,
+ data !== undefined
+ ? data
+ : user.authProviders?.[providerId]?.data,
},
},
})
diff --git a/packages/xo-web/src/xo-app/settings/groups/index.js b/packages/xo-web/src/xo-app/settings/groups/index.js
index 8c8a5138e..a036893b8 100644
--- a/packages/xo-web/src/xo-app/settings/groups/index.js
+++ b/packages/xo-web/src/xo-app/settings/groups/index.js
@@ -40,7 +40,7 @@ class UserDisplay extends Component {
}
render() {
- const { id, users } = this.props
+ const { id, users, canRemove } = this.props
return (
@@ -51,13 +51,15 @@ class UserDisplay extends Component {
>
)}{' '}
-
+ {canRemove && (
+
+ )}
)
}
@@ -88,7 +90,11 @@ class GroupMembersDisplay extends Component {
{map(group.users, user => (
-
-
+
))}
@@ -107,9 +113,15 @@ const getPredicate = users => entity =>
const GROUP_COLUMNS = [
{
name: _('groupNameColumn'),
- itemRenderer: group => (
- setGroupName(group, value)} />
- ),
+ itemRenderer: group =>
+ group.provider === undefined ? (
+ setGroupName(group, value)}
+ />
+ ) : (
+ group.name
+ ),
sortCriteria: group => group.name,
},
{
@@ -118,13 +130,14 @@ const GROUP_COLUMNS = [
},
{
name: _('addUserToGroupColumn'),
- itemRenderer: group => (
- user && addUserToGroup(user, group)}
- value={null}
- />
- ),
+ itemRenderer: group =>
+ group.provider === undefined ? (
+ user && addUserToGroup(user, group)}
+ value={null}
+ />
+ ) : null,
},
]