From 864d663fa6acda9e7ba80b23a3e07076adc75d61 Mon Sep 17 00:00:00 2001
From: Mateusz Mandera <mateusz.mandera@zulip.com>
Date: Thu, 21 Aug 2025 01:18:29 +0800
Subject: [PATCH] saml: Don't allow listing zulip_groups in extra_attrs in IdP
 config.

zulip_groups is a special attribute, for the group sync feature, and
will always be read from the SAMLResponse if it's present and group sync
is enabled.
Listing it in extra_attrs is a misconfiguration that results in
confusing behavior. See #35787.

(cherry picked from commit 7d40fcfd7e3c1ad59122aa9f49a8874437eea81e)
---
 zproject/computed_settings.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/zproject/computed_settings.py b/zproject/computed_settings.py
index f2dc79f266..c3ec1ae1c4 100644
--- a/zproject/computed_settings.py
+++ b/zproject/computed_settings.py
@@ -1207,6 +1207,9 @@ for idp_name, idp_dict in SOCIAL_AUTH_SAML_ENABLED_IDPS.items():
         path = f"/etc/zulip/saml/idps/{idp_name}.crt"
     idp_dict["x509cert"] = get_from_file_if_exists(path)
 
+    if "zulip_groups" in idp_dict.get("extra_attrs", []):
+        raise AssertionError("zulip_groups can't be listed in extra_attrs in the IdP config.")
+
 
 def ensure_dict_path(d: dict[str, Any], keys: list[str]) -> None:
     for key in keys: