Auth: Lockdown non-editables in frontend when external auth is configured (#52160)

* Auth: Lockdown user profile edit if external synced

* Auth: use builtin isExternal

* Auth: When user is synced, orgs will be overriden on next login

public/app/features/admin/UserOrgs.tsx

@@ -60,7 +60,8 @@ export class UserOrgs extends PureComponent<Props, State> {
     const addToOrgContainerClass = css`
       margin-top: 0.8rem;
     `;
-    const canAddToOrg = contextSrv.hasPermission(AccessControlAction.OrgUsersAdd);
+
+    const canAddToOrg = contextSrv.hasPermission(AccessControlAction.OrgUsersAdd) && !isExternalUser;
     return (
       <>
         <h3 className="page-heading">Organizations</h3>

public/app/features/profile/UserProfileEditForm.tsx

@@ -21,16 +21,22 @@ export const UserProfileEditForm: FC<Props> = ({ user, isSavingUser, updateProfi
     updateProfile(data);
   };
 
+  // check if authLabels is longer than 0 otherwise false
+  const isExternalUser: boolean = (user && user.isExternal) ?? false;
+  const authSource = isExternalUser && user && user.authLabels ? user.authLabels[0] : '';
+  const lockMessage = authSource ? ` (Synced via ${authSource})` : '';
+  const disabledEdit = disableLoginForm || isExternalUser;
+
   return (
     <Form onSubmit={onSubmitProfileUpdate} validateOn="onBlur">
       {({ register, errors }) => {
         return (
           <FieldSet label={<Trans id="user-profile.title">Edit profile</Trans>}>
             <Field
-              label={t({ id: 'user-profile.fields.name-label', message: 'Name' })}
+              label={t({ id: 'user-profile.fields.name-label', message: 'Name' }) + lockMessage}
               invalid={!!errors.name}
               error={<Trans id="user-profile.fields.name-error">Name is required</Trans>}
-              disabled={disableLoginForm}
+              disabled={disabledEdit}
             >
               <Input
                 {...register('name', { required: true })}
@@ -42,10 +48,10 @@ export const UserProfileEditForm: FC<Props> = ({ user, isSavingUser, updateProfi
             </Field>
 
             <Field
-              label={t({ id: 'user-profile.fields.email-label', message: 'Email' })}
+              label={t({ id: 'user-profile.fields.email-label', message: 'Email' }) + lockMessage}
               invalid={!!errors.email}
               error={<Trans id="user-profile.fields.email-error">Email is required</Trans>}
-              disabled={disableLoginForm}
+              disabled={disabledEdit}
             >
               <Input
                 {...register('email', { required: true })}
@@ -57,14 +63,14 @@ export const UserProfileEditForm: FC<Props> = ({ user, isSavingUser, updateProfi
             </Field>
 
             <Field
-              label={t({ id: 'user-profile.fields.username-label', message: 'Username' })}
+              label={t({ id: 'user-profile.fields.username-label', message: 'Username' }) + lockMessage}
-              disabled={disableLoginForm}
+              disabled={disabledEdit}
             >
               <Input
                 {...register('login')}
                 id="edit-user-profile-username"
                 defaultValue={user?.login ?? ''}
-                placeholder={t({ id: 'user-profile.fields.username-label', message: 'Username' })}
+                placeholder={t({ id: 'user-profile.fields.username-label', message: 'Username' }) + lockMessage}
                 suffix={<InputSuffix />}
               />
             </Field>
@@ -72,7 +78,7 @@ export const UserProfileEditForm: FC<Props> = ({ user, isSavingUser, updateProfi
             <div className="gf-form-button-row">
               <Button
                 variant="primary"
-                disabled={isSavingUser}
+                disabled={isSavingUser || disabledEdit}
                 data-testid={selectors.components.UserProfile.profileSaveButton}
                 type="submit"
               >