Show error if user roles are managed by SSO

[hardillb]

fixes #6958

Description

Currently if you try to change the role of a Team member who's role is managed by a SSO group it silently fails.

This adds an alert toast to explain why

Related Issue(s)

#6958

Checklist

• I have read the contribution guidelines
• Suitable unit/system level tests have been added and they pass
• Documentation has been updated
  • Upgrade instructions
  • Configuration details
  • Concepts
• Changes flowforge.yml?
  • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
  • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
• Link to Changelog Entry PR, or note why one is not needed.

Labels

• Includes a DB migration? -> add the area:migration label

[hardillb]

reverting to draft as I've not actually read @knolleary's comments on the issue about doing it properly (which explains why he up'd it to 2 hours)

[hardillb]

@knolleary I was trying to knock this out quickly without looking too closely at your earlier suggested route.

This will require:

• add a flag to the User object to indicate whether its team memberships are SSO managed. We already have the SSOGroups property that is only set if the option is enabled to expose membership to dashboard logins. Can we reuse that somehow whilst retaining the exposeGroups option?
• add the flag on the api schema so the frontend receives it
• update UX for changing role to prevent changes, with appropriate hint on why its disabled

I've now gone back to have another look and there is a small niggle with your approach. SSOGroups contains the raw group names, not the team names e.g. on my test system

{
  "email":"ben@example.com",
   "email_verified":true,
   "sso_enabled":true,
   "mfa_enabled":false,
   "SSOGroups":[
    "FlowFuse",
    "ff-development-owner",
    "minio",
    "test_ff-development-owner_test"
  ],
  "id":"r3VG59G85J",
  "username":"ben-example_come",
  "name":"ben",
  "avatar":"http://localhost:3000/avatar/YmVu",
  "admin":false,
  "createdAt":"2024-07-22T13:32:03.589Z",
  "suspended":false
}

So to get SSO managed teams we would need to filter this list based on the SSO prefix/suffix settings to get just the team names (and remove the extra groups)

Any thoughts?

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.29%. Comparing base (a9a2c86) to head (f354d9a).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6994   +/-   ##
=======================================
  Coverage   76.29%   76.29%           
=======================================
  Files         403      403           
  Lines       20296    20296           
  Branches     4881     4881           
=======================================
  Hits        15485    15485           
  Misses       4811     4811           

Flag	Coverage Δ
backend	76.29% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hardillb]

I see 2 approaches here:

1. Provide function to parse existing groups based on SSO config prefix/suffix lengths
2. Add the SSO Teams list to the User object

1 means we don't need to add anything else to the user object, but does mean always populating the SSOGroups array for a SSO user

2. adds more to the User object, but is probably the cleanest