[FEAT] Add DISABLE_SSO_IDP_AUTHORIZATION flag for SSO user mgmt#1942
[FEAT] Add DISABLE_SSO_IDP_AUTHORIZATION flag for SSO user mgmt#1942johnyrahul wants to merge 1 commit intomainfrom
Conversation
Surfaces a new Django setting `DISABLE_SSO_IDP_AUTHORIZATION` (default False) through GET /api/v1/session so the Manage Users UI can let admins edit roles for SSO-authenticated users locally while keeping invite and delete blocked (those still go through the IdP). When the flag is True and the session has a provider: - Actions column is rendered with Edit only (Delete hidden) - Invite User button stays hidden Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
2 participants
What
DISABLE_SSO_IDP_AUTHORIZATION(defaultFalse).GET /api/v1/sessionresponse (UserSessionInfo→UserSessionResponseSerializer).useSessionValid→getSessionData→sessionDetails.disableSsoIdpAuthorization).Users.jsx) to gate the Actions menu and Invite button.Why
When users are authenticated via an external provider (e.g. enterprise SSO via Auth0), the existing flow hides the entire Manage Users action surface. With this flag enabled, admins can still edit a user's role locally while invite/delete remain blocked — useful when SSO/IdP authorization is disabled and authorization is managed inside Unstract.
How
backend/backend/settings/base.py— declare the newDISABLE_SSO_IDP_AUTHORIZATIONsetting (defaults toFalse).backend/account_v2/dto.py— adddisable_sso_idp_authorization: bool = FalsetoUserSessionInfoand propagate it throughfrom_dict/to_dict.backend/account_v2/serializer.py— add the matchingBooleanFieldonUserSessionResponseSerializer.backend/account_v2/views.py— passsettings.DISABLE_SSO_IDP_AUTHORIZATIONintoUserSessionInfoinmake_session_response.frontend/src/hooks/useSessionValid.js— copydisable_sso_idp_authorizationintouserAndOrgDetails.frontend/src/helpers/GetSessionData.js— surface it assessionDetails.disableSsoIdpAuthorization.frontend/src/components/settings/users/Users.jsx:isSsoLocalAuthz = !!provider && !!disableSsoIdpAuthorizationderived value.!provider || isSsoLocalAuthz.isSsoLocalAuthz, the dropdown contains only the Edit item.!provider(unchanged).providersetCan this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)
False, which preserves the prior behavior (Actions column and Invite button hidden for any session withprovider). Behavior only changes when an operator explicitly opts in by settingDISABLE_SSO_IDP_AUTHORIZATION=True.Database Migrations
Env Config
DISABLE_SSO_IDP_AUTHORIZATION(defaultFalse).Relevant Docs
Related Issues or PRs
Dependencies Versions
Notes on Testing
Falseand an SSO-authenticated session: confirm Manage Users hides both Invite User and the Actions column (existing behavior).Trueand an SSO-authenticated session: confirm Manage Users hides Invite User, shows the Actions column, and the row dropdown contains only Edit (no Delete).GET /api/v1/sessionresponse now includesdisable_sso_idp_authorizationboolean.Screenshots
Checklist
I have read and understood the Contribution Guidelines.
🤖 Generated with Claude Code