core: add goauthentik.io/user/can-change-name
closes #2054 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
9d6f79558f
commit
5769ff45b5
|
@ -47,6 +47,7 @@ from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
|
||||||
from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
|
from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
|
||||||
from authentik.core.models import (
|
from authentik.core.models import (
|
||||||
USER_ATTRIBUTE_CHANGE_EMAIL,
|
USER_ATTRIBUTE_CHANGE_EMAIL,
|
||||||
|
USER_ATTRIBUTE_CHANGE_NAME,
|
||||||
USER_ATTRIBUTE_CHANGE_USERNAME,
|
USER_ATTRIBUTE_CHANGE_USERNAME,
|
||||||
USER_ATTRIBUTE_SA,
|
USER_ATTRIBUTE_SA,
|
||||||
USER_ATTRIBUTE_TOKEN_EXPIRING,
|
USER_ATTRIBUTE_TOKEN_EXPIRING,
|
||||||
|
@ -135,6 +136,16 @@ class UserSelfSerializer(ModelSerializer):
|
||||||
raise ValidationError("Not allowed to change email.")
|
raise ValidationError("Not allowed to change email.")
|
||||||
return email
|
return email
|
||||||
|
|
||||||
|
def validate_name(self, name: str):
|
||||||
|
"""Check if the user is allowed to change their name"""
|
||||||
|
if self.instance.group_attributes().get(
|
||||||
|
USER_ATTRIBUTE_CHANGE_NAME, CONFIG.y_bool("default_user_change_name", True)
|
||||||
|
):
|
||||||
|
return name
|
||||||
|
if name != self.instance.name:
|
||||||
|
raise ValidationError("Not allowed to change name.")
|
||||||
|
return name
|
||||||
|
|
||||||
def validate_username(self, username: str):
|
def validate_username(self, username: str):
|
||||||
"""Check if the user is allowed to change their username"""
|
"""Check if the user is allowed to change their username"""
|
||||||
if self.instance.group_attributes().get(
|
if self.instance.group_attributes().get(
|
||||||
|
|
|
@ -39,6 +39,7 @@ USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
|
||||||
USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
|
USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
|
||||||
USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires" # nosec
|
USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires" # nosec
|
||||||
USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
|
USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
|
||||||
|
USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
|
||||||
USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
|
USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
|
||||||
USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
|
USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,12 @@
|
||||||
from django.urls.base import reverse
|
from django.urls.base import reverse
|
||||||
from rest_framework.test import APITestCase
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
from authentik.core.models import USER_ATTRIBUTE_CHANGE_EMAIL, USER_ATTRIBUTE_CHANGE_USERNAME, User
|
from authentik.core.models import (
|
||||||
|
USER_ATTRIBUTE_CHANGE_EMAIL,
|
||||||
|
USER_ATTRIBUTE_CHANGE_NAME,
|
||||||
|
USER_ATTRIBUTE_CHANGE_USERNAME,
|
||||||
|
User,
|
||||||
|
)
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
|
from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
|
||||||
from authentik.flows.models import FlowDesignation
|
from authentik.flows.models import FlowDesignation
|
||||||
from authentik.lib.generators import generate_key
|
from authentik.lib.generators import generate_key
|
||||||
|
@ -25,6 +30,16 @@ class TestUsersAPI(APITestCase):
|
||||||
)
|
)
|
||||||
self.assertEqual(response.status_code, 200)
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_update_self_name_denied(self):
|
||||||
|
"""Test update_self"""
|
||||||
|
self.admin.attributes[USER_ATTRIBUTE_CHANGE_NAME] = False
|
||||||
|
self.admin.save()
|
||||||
|
self.client.force_login(self.admin)
|
||||||
|
response = self.client.put(
|
||||||
|
reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 400)
|
||||||
|
|
||||||
def test_update_self_username_denied(self):
|
def test_update_self_username_denied(self):
|
||||||
"""Test update_self"""
|
"""Test update_self"""
|
||||||
self.admin.attributes[USER_ATTRIBUTE_CHANGE_USERNAME] = False
|
self.admin.attributes[USER_ATTRIBUTE_CHANGE_USERNAME] = False
|
||||||
|
|
|
@ -78,6 +78,7 @@ footer_links:
|
||||||
- name: authentik Website
|
- name: authentik Website
|
||||||
href: https://goauthentik.io/?utm_source=authentik
|
href: https://goauthentik.io/?utm_source=authentik
|
||||||
|
|
||||||
|
default_user_change_name: true
|
||||||
default_user_change_email: true
|
default_user_change_email: true
|
||||||
default_user_change_username: true
|
default_user_change_username: true
|
||||||
|
|
||||||
|
|
|
@ -152,6 +152,14 @@ Configure how authentik should show avatars for users. Following values can be s
|
||||||
- `%(mail_hash)s`: The email address, md5 hashed
|
- `%(mail_hash)s`: The email address, md5 hashed
|
||||||
- `%(upn)s`: The user's UPN, if set (otherwise an empty string)
|
- `%(upn)s`: The user's UPN, if set (otherwise an empty string)
|
||||||
|
|
||||||
|
### AUTHENTIK_DEFAULT_USER_CHANGE_NAME
|
||||||
|
|
||||||
|
:::info
|
||||||
|
Requires authentik 2021.12.5
|
||||||
|
:::
|
||||||
|
|
||||||
|
Enable the ability for users to change their name, defaults to `true`.
|
||||||
|
|
||||||
### AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
|
### AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
|
||||||
|
|
||||||
:::info
|
:::info
|
||||||
|
|
|
@ -8,6 +8,10 @@ title: User
|
||||||
|
|
||||||
Optional flag, when set to false prevents the user from changing their own username.
|
Optional flag, when set to false prevents the user from changing their own username.
|
||||||
|
|
||||||
|
### `goauthentik.io/user/can-change-name`
|
||||||
|
|
||||||
|
Optional flag, when set to false prevents the user from changing their own name.
|
||||||
|
|
||||||
### `goauthentik.io/user/can-change-email`
|
### `goauthentik.io/user/can-change-email`
|
||||||
|
|
||||||
Optional flag, when set to false prevents the user from changing their own email.
|
Optional flag, when set to false prevents the user from changing their own email.
|
||||||
|
|
Reference in New Issue