core: add goauthentik.io/user/can-change-name

closes #2054

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/core/api/users.py

@@ -47,6 +47,7 @@ from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
 from authentik.core.models import (
     USER_ATTRIBUTE_CHANGE_EMAIL,
+    USER_ATTRIBUTE_CHANGE_NAME,
     USER_ATTRIBUTE_CHANGE_USERNAME,
     USER_ATTRIBUTE_SA,
     USER_ATTRIBUTE_TOKEN_EXPIRING,
@@ -135,6 +136,16 @@ class UserSelfSerializer(ModelSerializer):
             raise ValidationError("Not allowed to change email.")
         return email
 
+    def validate_name(self, name: str):
+        """Check if the user is allowed to change their name"""
+        if self.instance.group_attributes().get(
+            USER_ATTRIBUTE_CHANGE_NAME, CONFIG.y_bool("default_user_change_name", True)
+        ):
+            return name
+        if name != self.instance.name:
+            raise ValidationError("Not allowed to change name.")
+        return name
+
     def validate_username(self, username: str):
         """Check if the user is allowed to change their username"""
         if self.instance.group_attributes().get(

authentik/core/models.py

@@ -39,6 +39,7 @@ USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
 USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
 USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
 USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
+USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
 USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
 

authentik/core/tests/test_users_api.py

@@ -2,7 +2,12 @@
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import USER_ATTRIBUTE_CHANGE_EMAIL, USER_ATTRIBUTE_CHANGE_USERNAME, User
+from authentik.core.models import (
+    USER_ATTRIBUTE_CHANGE_EMAIL,
+    USER_ATTRIBUTE_CHANGE_NAME,
+    USER_ATTRIBUTE_CHANGE_USERNAME,
+    User,
+)
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
 from authentik.lib.generators import generate_key
@@ -25,6 +30,16 @@ class TestUsersAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 200)
 
+    def test_update_self_name_denied(self):
+        """Test update_self"""
+        self.admin.attributes[USER_ATTRIBUTE_CHANGE_NAME] = False
+        self.admin.save()
+        self.client.force_login(self.admin)
+        response = self.client.put(
+            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
+        )
+        self.assertEqual(response.status_code, 400)
+
     def test_update_self_username_denied(self):
         """Test update_self"""
         self.admin.attributes[USER_ATTRIBUTE_CHANGE_USERNAME] = False

authentik/lib/default.yml

@@ -78,6 +78,7 @@ footer_links:
   - name: authentik Website
     href: https://goauthentik.io/?utm_source=authentik
 
+default_user_change_name: true
 default_user_change_email: true
 default_user_change_username: true
 

website/docs/installation/configuration.md

@@ -152,6 +152,14 @@ Configure how authentik should show avatars for users. Following values can be s
    - `%(mail_hash)s`: The email address, md5 hashed
    - `%(upn)s`: The user's UPN, if set (otherwise an empty string)
 
+### AUTHENTIK_DEFAULT_USER_CHANGE_NAME
+
+:::info
+Requires authentik 2021.12.5
+:::
+
+Enable the ability for users to change their name, defaults to `true`.
+
 ### AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
 
 :::info

website/docs/user-group/user.md

@@ -8,6 +8,10 @@ title: User
 
 Optional flag, when set to false prevents the user from changing their own username.
 
+### `goauthentik.io/user/can-change-name`
+
+Optional flag, when set to false prevents the user from changing their own name.
+
 ### `goauthentik.io/user/can-change-email`
 
 Optional flag, when set to false prevents the user from changing their own email.