core: add goauthentik.io/user/can-change-name

closes #2054 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-01-04 19:03:12 +01:00 · 2022-01-04 19:03:12 +01:00 · 5769ff45b5
parent 9d6f79558f
commit 5769ff45b5
6 changed files with 41 additions and 1 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -47,6 +47,7 @@ from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
 from authentik.core.models import (
    USER_ATTRIBUTE_CHANGE_EMAIL,
+    USER_ATTRIBUTE_CHANGE_NAME,
    USER_ATTRIBUTE_CHANGE_USERNAME,
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
@ -135,6 +136,16 @@ class UserSelfSerializer(ModelSerializer):
            raise ValidationError("Not allowed to change email.")
        return email

+    def validate_name(self, name: str):
+        """Check if the user is allowed to change their name"""
+        if self.instance.group_attributes().get(
+            USER_ATTRIBUTE_CHANGE_NAME, CONFIG.y_bool("default_user_change_name", True)
+        ):
+            return name
+        if name != self.instance.name:
+            raise ValidationError("Not allowed to change name.")
+        return name
+
    def validate_username(self, username: str):
        """Check if the user is allowed to change their username"""
        if self.instance.group_attributes().get(
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -39,6 +39,7 @@ USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
 USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
 USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
 USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
+USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
 USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"

--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -2,7 +2,12 @@
 from django.urls.base import reverse
 from rest_framework.test import APITestCase

-from authentik.core.models import USER_ATTRIBUTE_CHANGE_EMAIL, USER_ATTRIBUTE_CHANGE_USERNAME, User
+from authentik.core.models import (
+    USER_ATTRIBUTE_CHANGE_EMAIL,
+    USER_ATTRIBUTE_CHANGE_NAME,
+    USER_ATTRIBUTE_CHANGE_USERNAME,
+    User,
+)
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
 from authentik.lib.generators import generate_key
@ -25,6 +30,16 @@ class TestUsersAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 200)

+    def test_update_self_name_denied(self):
+        """Test update_self"""
+        self.admin.attributes[USER_ATTRIBUTE_CHANGE_NAME] = False
+        self.admin.save()
+        self.client.force_login(self.admin)
+        response = self.client.put(
+            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
+        )
+        self.assertEqual(response.status_code, 400)
+
    def test_update_self_username_denied(self):
        """Test update_self"""
        self.admin.attributes[USER_ATTRIBUTE_CHANGE_USERNAME] = False
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -78,6 +78,7 @@ footer_links:
  - name: authentik Website
    href: https://goauthentik.io/?utm_source=authentik

+default_user_change_name: true
 default_user_change_email: true
 default_user_change_username: true

--- a/website/docs/installation/configuration.md
+++ b/website/docs/installation/configuration.md
@ -152,6 +152,14 @@ Configure how authentik should show avatars for users. Following values can be s
   - `%(mail_hash)s`: The email address, md5 hashed
   - `%(upn)s`: The user's UPN, if set (otherwise an empty string)

+### AUTHENTIK_DEFAULT_USER_CHANGE_NAME
+
+:::info
+Requires authentik 2021.12.5
+:::
+
+Enable the ability for users to change their name, defaults to `true`.
+
 ### AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL

 :::info
--- a/website/docs/user-group/user.md
+++ b/website/docs/user-group/user.md
@ -8,6 +8,10 @@ title: User

 Optional flag, when set to false prevents the user from changing their own username.

+### `goauthentik.io/user/can-change-name`
+
+Optional flag, when set to false prevents the user from changing their own name.
+
 ### `goauthentik.io/user/can-change-email`

 Optional flag, when set to false prevents the user from changing their own email.