core: add goauthentik.io/user/can-change-name
closes #2054 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
9d6f79558f
commit
5769ff45b5
|
@ -47,6 +47,7 @@ from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
|
|||
from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
|
||||
from authentik.core.models import (
|
||||
USER_ATTRIBUTE_CHANGE_EMAIL,
|
||||
USER_ATTRIBUTE_CHANGE_NAME,
|
||||
USER_ATTRIBUTE_CHANGE_USERNAME,
|
||||
USER_ATTRIBUTE_SA,
|
||||
USER_ATTRIBUTE_TOKEN_EXPIRING,
|
||||
|
@ -135,6 +136,16 @@ class UserSelfSerializer(ModelSerializer):
|
|||
raise ValidationError("Not allowed to change email.")
|
||||
return email
|
||||
|
||||
def validate_name(self, name: str):
|
||||
"""Check if the user is allowed to change their name"""
|
||||
if self.instance.group_attributes().get(
|
||||
USER_ATTRIBUTE_CHANGE_NAME, CONFIG.y_bool("default_user_change_name", True)
|
||||
):
|
||||
return name
|
||||
if name != self.instance.name:
|
||||
raise ValidationError("Not allowed to change name.")
|
||||
return name
|
||||
|
||||
def validate_username(self, username: str):
|
||||
"""Check if the user is allowed to change their username"""
|
||||
if self.instance.group_attributes().get(
|
||||
|
|
|
@ -39,6 +39,7 @@ USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
|
|||
USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
|
||||
USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires" # nosec
|
||||
USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
|
||||
USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
|
||||
USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
|
||||
USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
|
||||
|
||||
|
|
|
@ -2,7 +2,12 @@
|
|||
from django.urls.base import reverse
|
||||
from rest_framework.test import APITestCase
|
||||
|
||||
from authentik.core.models import USER_ATTRIBUTE_CHANGE_EMAIL, USER_ATTRIBUTE_CHANGE_USERNAME, User
|
||||
from authentik.core.models import (
|
||||
USER_ATTRIBUTE_CHANGE_EMAIL,
|
||||
USER_ATTRIBUTE_CHANGE_NAME,
|
||||
USER_ATTRIBUTE_CHANGE_USERNAME,
|
||||
User,
|
||||
)
|
||||
from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
|
||||
from authentik.flows.models import FlowDesignation
|
||||
from authentik.lib.generators import generate_key
|
||||
|
@ -25,6 +30,16 @@ class TestUsersAPI(APITestCase):
|
|||
)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
def test_update_self_name_denied(self):
|
||||
"""Test update_self"""
|
||||
self.admin.attributes[USER_ATTRIBUTE_CHANGE_NAME] = False
|
||||
self.admin.save()
|
||||
self.client.force_login(self.admin)
|
||||
response = self.client.put(
|
||||
reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
|
||||
)
|
||||
self.assertEqual(response.status_code, 400)
|
||||
|
||||
def test_update_self_username_denied(self):
|
||||
"""Test update_self"""
|
||||
self.admin.attributes[USER_ATTRIBUTE_CHANGE_USERNAME] = False
|
||||
|
|
|
@ -78,6 +78,7 @@ footer_links:
|
|||
- name: authentik Website
|
||||
href: https://goauthentik.io/?utm_source=authentik
|
||||
|
||||
default_user_change_name: true
|
||||
default_user_change_email: true
|
||||
default_user_change_username: true
|
||||
|
||||
|
|
|
@ -152,6 +152,14 @@ Configure how authentik should show avatars for users. Following values can be s
|
|||
- `%(mail_hash)s`: The email address, md5 hashed
|
||||
- `%(upn)s`: The user's UPN, if set (otherwise an empty string)
|
||||
|
||||
### AUTHENTIK_DEFAULT_USER_CHANGE_NAME
|
||||
|
||||
:::info
|
||||
Requires authentik 2021.12.5
|
||||
:::
|
||||
|
||||
Enable the ability for users to change their name, defaults to `true`.
|
||||
|
||||
### AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
|
||||
|
||||
:::info
|
||||
|
|
|
@ -8,6 +8,10 @@ title: User
|
|||
|
||||
Optional flag, when set to false prevents the user from changing their own username.
|
||||
|
||||
### `goauthentik.io/user/can-change-name`
|
||||
|
||||
Optional flag, when set to false prevents the user from changing their own name.
|
||||
|
||||
### `goauthentik.io/user/can-change-email`
|
||||
|
||||
Optional flag, when set to false prevents the user from changing their own email.
|
||||
|
|
Reference in a new issue