From dd279d3ea268a82efad78e60c0e36d10c9f54764 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Sun, 24 Sep 2023 20:51:45 -0700
Subject: [PATCH] Disallow user group creation when server has OIDC auth with
 group sync enabled.

---
 meshuser.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/meshuser.js b/meshuser.js
index 4fe53fb3..d81ca46f 100644
--- a/meshuser.js
+++ b/meshuser.js
@@ -1491,7 +1491,14 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                     var ugrpdomain, err = null;
                     try {
                         // Check if we are in a mode that does not allow manual user group creation
-                        if (domain.auth == 'ldap') { err = "Not allowed in LDAP mode"; }
+                        if (
+                            (typeof domain.authstrategies == 'object') &&
+                            (typeof domain.authstrategies['oidc'] == 'object') &&
+                            (typeof domain.authstrategies['oidc'].groups == 'object') &&
+                            ((domain.authstrategies['oidc'].groups.sync == true) || ((typeof domain.authstrategies['oidc'].groups.sync == 'object') && (domain.authstrategies['oidc'].groups.sync.enabled == true)))
+                        ) {
+                            err = "Not allowed in OIDC mode with user group sync.";
+                        }
 
                         // Check if we have new group restriction
                         if ((user.siteadmin & SITERIGHT_USERGROUPS) == 0) { err = "Permission denied"; }