FIX: better error message on username update from Admin user page.

app/controllers/users_controller.rb

@@ -151,6 +151,12 @@ class UsersController < ApplicationController
     else
       render_json_error(user.errors.full_messages.join(','))
     end
+  rescue Discourse::InvalidAccess
+    if current_user&.staff?
+      render_json_error(I18n.t('errors.messages.sso_overrides_username'))
+    else
+      render json: failed_json, status: 403
+    end
   end
 
   def check_emails

config/locales/server.en.yml

@@ -183,6 +183,7 @@ en:
         one: is the wrong length (should be %{count} character)
         other: is the wrong length (should be %{count} characters)
       other_than: "must be other than %{count}"
+      sso_overrides_username: "Username needs to be updated on SSO provider side, since `sso_overrides_username` setting is enabled."
     template:
       body: ! "There were problems with the following fields:"
       header:

spec/requests/users_controller_spec.rb

@@ -1227,6 +1227,18 @@ describe UsersController do
 
         expect(::JSON.parse(response.body)['username']).to eq(new_username)
       end
+
+      it 'should respond with proper error message if sso_overrides_username is enabled' do
+        SiteSetting.sso_url = 'http://someurl.com'
+        SiteSetting.enable_sso = true
+        SiteSetting.sso_overrides_username = true
+        acting_user = Fabricate(:admin)
+        sign_in(acting_user)
+
+        put "/u/#{user.username}/preferences/username.json", params: { new_username: new_username }
+
+        expect(response.status).to eq(422)
+        expect(::JSON.parse(response.body)['errors'].first).to  include(I18n.t('errors.messages.sso_overrides_username'))
     end
   end