General: Disable edits of users if saml2 is active

[dfuchss]

Summary

With SAML2 enabled, users shall not be able to change Name or Mail.
See #12528

Checklist

General

• I tested all changes and their related features with all corresponding user types on a test server.
• This is a small issue that I tested locally and was confirmed by another developer on a test server.
• Language: I followed the guidelines for inclusive, diversity-sensitive, and appreciative language.
• I chose a title conforming to the naming conventions for pull requests.

Server

• Important: I implemented the changes with a very good performance and prevented too many (unnecessary) and too complex database calls.
• I strictly followed the principle of data economy for all database calls.
• I strictly followed the server coding and design guidelines and the REST API guidelines.
• I added multiple integration tests (Spring) related to the features (with a high test coverage).
• I documented the Java code using JavaDoc style.

Client

• Important: I implemented the changes with a very good performance, prevented too many (unnecessary) REST calls and made sure the UI is responsive, even with large data (e.g. using paging).
• I strictly followed the principle of data economy for all client-server REST calls.
• I strictly followed the client coding guidelines.
• I strictly followed the AET UI-UX guidelines.
• Following the theming guidelines, I specified colors only in the theming variable files and checked that the changes look consistent in both the light and the dark theme.
• I added multiple integration tests (Vitest) related to the features (with a high test coverage), while following the test guidelines.
• I added authorities to all new routes and checked the course groups for displaying navigation elements (links, buttons).
• I documented the TypeScript code using JSDoc style.
• I translated all newly inserted strings into English and German.

Motivation and Context

Resolve #12528 SAML2 users shall not be able to change their names or mail

Description

Disables (FE/BE) that users can change their Name or Mail if SAML2 is enabled.

Steps for Testing

Prerequisites:

• 1 Admin
• 1 Student

1. Log in to Artemis
2. Navigate to Account Settings and try to change Name/Mail with SAML2 enabled
3. Admins shall be able to change names in the admin menu, but in the account settings menu it shall be disabled.

Testserver States

You can manage test servers using Helios. Check environment statuses in the environment list. To deploy to a test server, go to the CI/CD page, find your PR or branch, and trigger the deployment.

Review Progress

Performance Review

• I (as a reviewer) confirm that the client changes (in particular related to REST calls and UI responsiveness) are implemented with a very good performance even for very large courses with more than 2000 students.
• I (as a reviewer) confirm that the server changes (in particular related to database calls) are implemented with a very good performance even for very large courses with more than 2000 students.

Code Review

• Code Review 1
• Code Review 2

Manual Tests

• Test 1
• Test 2

Exam Mode Test

• Test 1
• Test 2

Performance Tests

• Test 1
• Test 2

Test Coverage

Client

Class/File	Line Coverage	Lines	Expects	Ratio
settings.component.ts	100.00%	119	46	38.7

Server

Class/File	Line Coverage	Lines
ProfileService.java	81.82%	43
AccountResource.java	92.11%	184

Last updated: 2026-05-07 20:30:19 UTC

Screenshots

Summary by CodeRabbit

• New Features

  • SAML2-managed profiles: name and email become read-only in account settings when SAML2 is active; language preference remains editable.
  • Settings show an informational alert when SAML2-managed fields are enforced.

• Documentation

  • Added English and German localization for the SAML2 settings notification.

• Tests

  • Added unit and integration tests validating SAML2-active form behavior and save handling.

[Copilot]

Pull request overview

Disables editing of user name/email in the account settings when the saml2 profile is active, while still allowing users to change their language preference.

Changes:

• Server: Short-circuit /api/core/account updates under SAML2 to only persist langKey.
• Client: Detect active SAML2 profile to disable name/email inputs and only send langKey updates.
• Tests/i18n: Add integration/unit tests and user-facing info message translations (EN/DE).

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/main/java/de/tum/cit/aet/artemis/core/web/AccountResource.java	Enforces SAML2 behavior on the server by limiting updates to langKey.
src/main/java/de/tum/cit/aet/artemis/core/service/ProfileService.java	Adds a helper to check whether the saml2 Spring profile is active.
src/main/webapp/app/core/account/settings/settings.component.ts	Detects SAML2 profile, disables name/email fields, and avoids updating them in the payload.
src/main/webapp/app/core/account/settings/settings.component.html	Shows an informational banner when SAML2 syncing is active.
src/main/webapp/app/core/account/settings/settings.component.spec.ts	Adds a unit test ensuring name/email aren’t updated when SAML2 is active.
src/main/webapp/i18n/en/settings.json	Adds SAML2 syncing info text (EN).
src/main/webapp/i18n/de/settings.json	Adds SAML2 syncing info text (DE).
src/test/java/de/tum/cit/aet/artemis/core/user/AccountResourceIntegrationTest.java	Adds integration tests verifying server-side behavior under SAML2.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

@dfuchss Test coverage could not be fully measured because some tests failed. Please check the workflow logs for details.

[github-actions]

End-to-End Test Results

Phase	Status	Details
Phase 1 (Relevant)	✅ Passed	Tests Passed ✅ Skipped Failed Time ⏱ Phase 1: E2E Test Report 22 ran 22 passed 0 skipped 0 failed 3m 1s
Phase 2 (Remaining)	❌ Failed	Tests Passed ☑️ Skipped ⚠️ Failed ❌️ Time ⏱ Phase 2: E2E Test Report 232 ran 229 passed 2 skipped 1 failed 21m 36s

Test Strategy: Two-phase execution

• Phase 1: e2e/Login.spec.ts e2e/Logout.spec.ts e2e/SystemHealth.spec.ts e2e/course/CourseManagement.spec.ts
• Phase 2: e2e/atlas/ e2e/course/CourseChannelMessages.spec.ts e2e/course/CourseDirectMessages.spec.ts e2e/course/CourseExercise.spec.ts e2e/course/CourseGroupChatMessages.spec.ts e2e/course/CourseMessageInteractions.spec.ts e2e/course/CourseOnboarding.spec.ts e2e/exam/ExamAssessment.spec.ts e2e/exam/ExamChecklists.spec.ts e2e/exam/ExamCreationDeletion.spec.ts e2e/exam/ExamDateVerification.spec.ts e2e/exam/ExamManagement.spec.ts e2e/exam/ExamParticipation.spec.ts e2e/exam/ExamResults.spec.ts e2e/exam/ExamTestRun.spec.ts e2e/exam/test-exam/ e2e/exercise/ExerciseImport.spec.ts e2e/exercise/file-upload/ e2e/exercise/modeling/ e2e/exercise/programming/ e2e/exercise/quiz-exercise/ e2e/exercise/text/ e2e/lecture/

❌ Failed Tests (Phase 2)

• Exam participation › Programming exam with Git submissions › Participates in exam by Git submission using https (9m 48s)

Flakiness Scores for Failed Tests

Test	Flakiness Score	Default Branch Failure Rate	Combined Failure Rate
e2e/exam/ExamParticipation.spec.ts#Exam participation › Programming exam with Git submissions › Participates in exam by Git submission using https	62.9718875502008%	5.0%	0.5%

Overall: ❌ Phase 2 (remaining tests) failed

🔗 Workflow Run · 📊 Test Report Phase 1 · 📊 Test Report Phase 2

[github-actions]

@dfuchss Test coverage could not be fully measured because some tests failed. Please check the workflow logs for details.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

@dfuchss Test coverage has been automatically updated in the PR description.

[github-actions]

@dfuchss Test coverage has been automatically updated in the PR description.

[github-actions]

@dfuchss Test coverage has been automatically updated in the PR description.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/main/webapp/app/core/account/settings/settings.component.ts`:
- Around line 138-143: The payload currently only blocks name/email updates for
SAML2, but the form disables those controls when !isInternal || isSaml2Active;
change the update guard to match that rule so non-internal users can't submit
tampered name/email. In settings.component.ts replace the condition around
setting userToUpdate.firstName/lastName/email (currently checking
this.isSaml2Active) with the inverse of the disable predicate (i.e. only allow
assignment when this.isInternal && !this.isSaml2Active) so the submitted payload
aligns with the disabled-control logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e5037d88-e563-410a-b695-1e9d094bfa83

📥 Commits

Reviewing files that changed from the base of the PR and between 060e71d and e744f9d.

📒 Files selected for processing (2)

• src/main/webapp/app/core/account/settings/settings.component.spec.ts
• src/main/webapp/app/core/account/settings/settings.component.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/main/webapp/app/core/account/settings/settings.component.spec.ts

[github-actions]

@dfuchss Test coverage has been automatically updated in the PR description.

[coderabbitai]

🧹 Nitpick comments (1)

src/main/webapp/app/core/account/settings/settings.component.html (1)

34-34: Remove redundant [disabled] bindings on reactive form controls.

The component already calls disable()/enable() on these controls via updateNameAndEmailControlState() (lines 111–117), which manages the disabled state through the reactive form API. The [disabled] bindings in the template are redundant—when a FormControl is disabled, Angular automatically renders the disabled attribute in the DOM. Using both triggers an Angular dev-mode warning: "It looks like you're using the disabled attribute with a reactive form directive."

Remove the [disabled] bindings to rely solely on the FormControl state as the single source of truth:

Changes (lines 34, 59, 90)

-                                formControlName="firstName"
-                                [disabled]="!isInternalUser() || isSaml2Active"
+                                formControlName="firstName"

Also applies to: 59, 90

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/main/webapp/app/core/account/settings/settings.component.html` at line
34, Remove the redundant [disabled] bindings from the template controls that are
already managed by the reactive form API; rely on the FormControl disabled state
set by updateNameAndEmailControlState() instead of using
[disabled]="!isInternalUser() || isSaml2Active". Specifically, delete the
[disabled] attributes referencing isInternalUser() and isSaml2Active on the form
inputs (the ones controlled by updateNameAndEmailControlState()) so Angular's
FormControl.disable()/enable() is the single source of truth and avoids the
dev-mode warning.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/main/webapp/app/core/account/settings/settings.component.html`:
- Line 34: Remove the redundant [disabled] bindings from the template controls
that are already managed by the reactive form API; rely on the FormControl
disabled state set by updateNameAndEmailControlState() instead of using
[disabled]="!isInternalUser() || isSaml2Active". Specifically, delete the
[disabled] attributes referencing isInternalUser() and isSaml2Active on the form
inputs (the ones controlled by updateNameAndEmailControlState()) so Angular's
FormControl.disable()/enable() is the single source of truth and avoids the
dev-mode warning.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3492cc8e-23e5-4fe9-8fdc-6c29e1e1aadc

📥 Commits

Reviewing files that changed from the base of the PR and between e744f9d and 45579e9.

📒 Files selected for processing (2)

• src/main/webapp/app/core/account/settings/settings.component.html
• src/main/webapp/app/core/account/settings/settings.component.ts

[github-actions]

@dfuchss Test coverage has been automatically updated in the PR description.

[Claudia-Anthropica]

@dfuchss Nice clean feature — the server/client split and tests all look solid. One issue though: the SAML2 guard sits after the registration-disabled check, which means SAML2 users can't even change their language when registration is disabled. See inline comment.

[b-fein]

Tested on a Uni Passau test system with SAML2. Works as intended.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Claudia-Anthropica]

@dfuchss All feedback addressed — SAML2 users are indeed internal so the ordering concern doesn't apply. Nice clean implementation, approving.

[github-actions]

@dfuchss Test coverage has been automatically updated in the PR description.

[github-actions]

@dfuchss Test coverage has been automatically updated in the PR description.

[github-actions]

@dfuchss Test coverage has been automatically updated in the PR description.

[github-actions]

@dfuchss Test coverage has been automatically updated in the PR description.