core: make defaults for _change_email and _change_username configurable

closes #1789 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-11-13 22:33:03 +01:00 · 2021-11-13 22:33:03 +01:00 · 88516ba2ca
parent f069cfb643
commit 88516ba2ca
3 changed files with 26 additions and 2 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -55,6 +55,7 @@ from authentik.core.models import (
    User,
 )
 from authentik.events.models import EventAction
+from authentik.lib.config import CONFIG
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -125,7 +126,9 @@ class UserSelfSerializer(ModelSerializer):

    def validate_email(self, email: str):
        """Check if the user is allowed to change their email"""
-        if self.instance.group_attributes().get(USER_ATTRIBUTE_CHANGE_EMAIL, True):
+        if self.instance.group_attributes().get(
+            USER_ATTRIBUTE_CHANGE_EMAIL, CONFIG.y_bool("default_user_change_email", True)
+        ):
            return email
        if email != self.instance.email:
            raise ValidationError("Not allowed to change email.")
@ -133,7 +136,9 @@ class UserSelfSerializer(ModelSerializer):

    def validate_username(self, username: str):
        """Check if the user is allowed to change their username"""
-        if self.instance.group_attributes().get(USER_ATTRIBUTE_CHANGE_USERNAME, True):
+        if self.instance.group_attributes().get(
+            USER_ATTRIBUTE_CHANGE_USERNAME, CONFIG.y_bool("default_user_change_username", True)
+        ):
            return username
        if username != self.instance.username:
            raise ValidationError("Not allowed to change username.")
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -78,3 +78,6 @@ footer_links:
    href: https://goauthentik.io/docs/?utm_source=authentik
  - name: authentik Website
    href: https://goauthentik.io/?utm_source=authentik
+
+default_user_change_email: true
+default_user_change_username: true
--- a/website/docs/installation/configuration.md
+++ b/website/docs/installation/configuration.md
@ -149,6 +149,22 @@ Configure how authentik should show avatars for users. Following values can be s
   - `%(mail_hash)s`: The email address, md5 hashed
   - `%(upn)s`: The user's UPN, if set (otherwise an empty string)

+### AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
+
+:::info
+Requires authentik 2021.10.5
+:::
+
+Enable the ability for users to change their Email address, defaults to `true`.
+
+### AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
+
+:::info
+Requires authentik 2021.10.5
+:::
+
+Enable the ability for users to change their Usernames, defaults to `true`.
+
 ## Debugging

 To check if your config has been applied correctly, you can run the following command to output the full config: