core: add goauthentik.io/user/can-change-name

closes #2054

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-01-04 19:03:12 +01:00
parent 9d6f79558f
commit 5769ff45b5
6 changed files with 41 additions and 1 deletions

View file

@ -47,6 +47,7 @@ from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
from authentik.core.models import (
USER_ATTRIBUTE_CHANGE_EMAIL,
USER_ATTRIBUTE_CHANGE_NAME,
USER_ATTRIBUTE_CHANGE_USERNAME,
USER_ATTRIBUTE_SA,
USER_ATTRIBUTE_TOKEN_EXPIRING,
@ -135,6 +136,16 @@ class UserSelfSerializer(ModelSerializer):
raise ValidationError("Not allowed to change email.")
return email
def validate_name(self, name: str):
"""Check if the user is allowed to change their name"""
if self.instance.group_attributes().get(
USER_ATTRIBUTE_CHANGE_NAME, CONFIG.y_bool("default_user_change_name", True)
):
return name
if name != self.instance.name:
raise ValidationError("Not allowed to change name.")
return name
def validate_username(self, username: str):
"""Check if the user is allowed to change their username"""
if self.instance.group_attributes().get(

View file

@ -39,6 +39,7 @@ USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires" # nosec
USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"

View file

@ -2,7 +2,12 @@
from django.urls.base import reverse
from rest_framework.test import APITestCase
from authentik.core.models import USER_ATTRIBUTE_CHANGE_EMAIL, USER_ATTRIBUTE_CHANGE_USERNAME, User
from authentik.core.models import (
USER_ATTRIBUTE_CHANGE_EMAIL,
USER_ATTRIBUTE_CHANGE_NAME,
USER_ATTRIBUTE_CHANGE_USERNAME,
User,
)
from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
from authentik.flows.models import FlowDesignation
from authentik.lib.generators import generate_key
@ -25,6 +30,16 @@ class TestUsersAPI(APITestCase):
)
self.assertEqual(response.status_code, 200)
def test_update_self_name_denied(self):
"""Test update_self"""
self.admin.attributes[USER_ATTRIBUTE_CHANGE_NAME] = False
self.admin.save()
self.client.force_login(self.admin)
response = self.client.put(
reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
)
self.assertEqual(response.status_code, 400)
def test_update_self_username_denied(self):
"""Test update_self"""
self.admin.attributes[USER_ATTRIBUTE_CHANGE_USERNAME] = False

View file

@ -78,6 +78,7 @@ footer_links:
- name: authentik Website
href: https://goauthentik.io/?utm_source=authentik
default_user_change_name: true
default_user_change_email: true
default_user_change_username: true

View file

@ -152,6 +152,14 @@ Configure how authentik should show avatars for users. Following values can be s
- `%(mail_hash)s`: The email address, md5 hashed
- `%(upn)s`: The user's UPN, if set (otherwise an empty string)
### AUTHENTIK_DEFAULT_USER_CHANGE_NAME
:::info
Requires authentik 2021.12.5
:::
Enable the ability for users to change their name, defaults to `true`.
### AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
:::info

View file

@ -8,6 +8,10 @@ title: User
Optional flag, when set to false prevents the user from changing their own username.
### `goauthentik.io/user/can-change-name`
Optional flag, when set to false prevents the user from changing their own name.
### `goauthentik.io/user/can-change-email`
Optional flag, when set to false prevents the user from changing their own email.