fix(scim): ensure scim users aren't created with their own org (#7595)

2025-07-13 21:36:50 +00:00 · 2023-05-18 20:54:45 -04:00
parent 0b15b1bcd1
commit dd5b0b2721
8 changed files with 105 additions and 26 deletions
--- a/enterprise/coderd/scim.go
+++ b/enterprise/coderd/scim.go
@ -156,11 +156,27 @@ func (api *API) scimPostUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

+	var organizationID uuid.UUID
+	//nolint:gocritic
+	organizations, err := api.Database.GetOrganizations(dbauthz.AsSystemRestricted(ctx))
+	if err != nil {
+		_ = handlerutil.WriteError(rw, err)
+		return
+	}
+
+	if len(organizations) > 0 {
+		// Add the user to the first organization. Once multi-organization
+		// support is added, we should enable a configuration map of user
+		// email to organization.
+		organizationID = organizations[0].ID
+	}
+
 	//nolint:gocritic // needed for SCIM
 	user, _, err := api.AGPL.CreateUser(dbauthz.AsSystemRestricted(ctx), api.Database, agpl.CreateUserRequest{
 		CreateUserRequest: codersdk.CreateUserRequest{
-			Username: sUser.UserName,
-			Email:    email,
+			Username:       sUser.UserName,
+			Email:          email,
+			OrganizationID: organizationID,
 		},
 		LoginType: database.LoginTypeOIDC,
 	})