diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 786f1d3dd16..c7853e83c6e 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -151,6 +151,12 @@ class UsersController < ApplicationController else render_json_error(user.errors.full_messages.join(',')) end + rescue Discourse::InvalidAccess + if current_user&.staff? + render_json_error(I18n.t('errors.messages.sso_overrides_username')) + else + render json: failed_json, status: 403 + end end def check_emails diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index efa4a349447..18bec780902 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -183,6 +183,7 @@ en: one: is the wrong length (should be %{count} character) other: is the wrong length (should be %{count} characters) other_than: "must be other than %{count}" + sso_overrides_username: "Username needs to be updated on SSO provider side, since `sso_overrides_username` setting is enabled." template: body: ! "There were problems with the following fields:" header: diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index 0d39c338b60..cc0c9bad540 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -1227,6 +1227,18 @@ describe UsersController do expect(::JSON.parse(response.body)['username']).to eq(new_username) end + + it 'should respond with proper error message if sso_overrides_username is enabled' do + SiteSetting.sso_url = 'http://someurl.com' + SiteSetting.enable_sso = true + SiteSetting.sso_overrides_username = true + acting_user = Fabricate(:admin) + sign_in(acting_user) + + put "/u/#{user.username}/preferences/username.json", params: { new_username: new_username } + + expect(response.status).to eq(422) + expect(::JSON.parse(response.body)['errors'].first).to include(I18n.t('errors.messages.sso_overrides_username')) end end