fix: "Allow Password Change for OAuth Users" setting is not honored i…

…n the "Forgot Password" flow (#32398)

.changeset/wise-pianos-explode.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed issue with external users being able to reset their passwords even when the "Allow Password Change for OAuth Users" setting is disabled

apps/meteor/server/methods/sendForgotPasswordEmail.ts

@@ -20,7 +20,7 @@ Meteor.methods<ServerMethods>({
 
 		const email = to.trim().toLowerCase();
 
-		const user = await Users.findOneByEmailAddress(email, { projection: { _id: 1 } });
+		const user = await Users.findOneByEmailAddress(email, { projection: { _id: 1, services: 1 } });
 
 		if (!user) {
 			return true;

apps/meteor/tests/e2e/saml.spec.ts

@@ -12,6 +12,7 @@ import { Users } from './fixtures/userStates';
 import { Registration } from './page-objects';
 import { createCustomRole, deleteCustomRole } from './utils/custom-role';
 import { getUserInfo } from './utils/getUserInfo';
+import { parseMeteorResponse } from './utils/parseMeteorResponse';
 import { setSettingValueById } from './utils/setSettingValueById';
 import { test, expect, BaseTest } from './utils/test';
 
@@ -195,6 +196,30 @@ test.describe('SAML', () => {
 		});
 	});
 
+	test('Allow password change for OAuth users', async ({  api }) => {
+		await test.step("should not send password reset mail if 'Allow Password Change for OAuth Users' setting is disabled", async () => {
+			expect((await setSettingValueById(api, 'Accounts_AllowPasswordChangeForOAuthUsers', false)).status()).toBe(200);
+
+			const response = await api.post('/method.call/sendForgotPasswordEmail', {
+				message: JSON.stringify({ msg: 'method', id: 'id', method: 'sendForgotPasswordEmail', params: ['samluser1@example.com'] }),
+			});
+			const mailSent = await parseMeteorResponse<boolean>(response);
+			expect(response.status()).toBe(200);
+			expect(mailSent).toBe(false);
+		});
+
+		await test.step("should send password reset mail if 'Allow Password Change for OAuth Users' setting is enabled", async () => {
+			expect((await setSettingValueById(api, 'Accounts_AllowPasswordChangeForOAuthUsers', true)).status()).toBe(200);
+
+			const response = await api.post('/method.call/sendForgotPasswordEmail', {
+				message: JSON.stringify({ msg: 'method', id: 'id', method: 'sendForgotPasswordEmail', params: ['samluser1@example.com'] }),
+			});
+			const mailSent = await parseMeteorResponse<boolean>(response);
+			expect(response.status()).toBe(200);
+			expect(mailSent).toBe(true);
+		});
+	});
+
 	const doLoginStep = async (page: Page, username: string, redirectUrl: string | null = '/home') => {
 		await test.step('expect successful login', async () => {
 			await poRegistration.btnLoginWithSaml.click();

apps/meteor/tests/e2e/utils/omnichannel/monitors.ts

@@ -1,5 +1,5 @@
+import { parseMeteorResponse } from '../parseMeteorResponse';
 import { BaseTest } from '../test';
-import { parseMeteorResponse } from './utils';
 
 const removeMonitor = async (api: BaseTest['api'], id: string) =>
 	api.post('/method.call/livechat:removeMonitor', {

apps/meteor/tests/e2e/utils/omnichannel/tags.ts

@@ -1,7 +1,7 @@
 import { ILivechatTag } from '@rocket.chat/core-typings';
 
+import { parseMeteorResponse } from '../parseMeteorResponse';
 import { BaseTest } from '../test';
-import { parseMeteorResponse } from './utils';
 
 type CreateTagParams = {
 	id?: string | null;

apps/meteor/tests/e2e/utils/omnichannel/units.ts

@@ -1,8 +1,8 @@
 import { faker } from '@faker-js/faker';
 import { IOmnichannelBusinessUnit } from '@rocket.chat/core-typings';
 
+import { parseMeteorResponse } from '../parseMeteorResponse';
 import { BaseTest } from '../test';
-import { parseMeteorResponse } from './utils';
 
 type CreateUnitParams = {
 	id?: string | null;