version: 1
metadata:
  name: Default - User settings flow
entries:
- attrs:
    designation: stage_configuration
    name: User settings
    title: Update your info
    authentication: require_authenticated
  identifiers:
    slug: default-user-settings-flow
  model: authentik_flows.flow
  id: flow
- attrs:
    order: 200
    placeholder: |
      try:
          return user.username
      except:
          return ''
    placeholder_expression: true
    required: true
    type: text
  identifiers:
    field_key: username
    label: Username
  id: prompt-field-username
  model: authentik_stages_prompt.prompt
- attrs:
    order: 201
    placeholder: |
      try:
          return user.name
      except:
          return ''
    placeholder_expression: true
    required: true
    type: text
  identifiers:
    field_key: name
    label: Name
  id: prompt-field-name
  model: authentik_stages_prompt.prompt
- attrs:
    order: 202
    placeholder: |
      try:
          return user.email
      except:
          return ''
    placeholder_expression: true
    required: true
    type: email
  identifiers:
    field_key: email
    label: Email
  id: prompt-field-email
  model: authentik_stages_prompt.prompt
- attrs:
    order: 203
    placeholder: |
      try:
          return user.attributes.get("settings", {}).get("locale", "")
      except:
          return ''
    placeholder_expression: true
    required: true
    type: ak-locale
  identifiers:
    field_key: attributes.settings.locale
    label: Locale
  id: prompt-field-locale
  model: authentik_stages_prompt.prompt
- attrs:
    expression:  |
      from authentik.lib.config import CONFIG
      from authentik.core.models import (
          USER_ATTRIBUTE_CHANGE_EMAIL,
          USER_ATTRIBUTE_CHANGE_NAME,
          USER_ATTRIBUTE_CHANGE_USERNAME
      )
      prompt_data = request.context.get("prompt_data")

      if not request.user.group_attributes(request.http_request).get(
          USER_ATTRIBUTE_CHANGE_EMAIL, CONFIG.y_bool("default_user_change_email", True)
      ):
          if prompt_data.get("email") != request.user.email:
              ak_message("Not allowed to change email address.")
              return False

      if not request.user.group_attributes(request.http_request).get(
          USER_ATTRIBUTE_CHANGE_NAME, CONFIG.y_bool("default_user_change_name", True)
      ):
          if prompt_data.get("name") != request.user.name:
              ak_message("Not allowed to change name.")
              return False

      if not request.user.group_attributes(request.http_request).get(
          USER_ATTRIBUTE_CHANGE_USERNAME, CONFIG.y_bool("default_user_change_username", True)
      ):
          if prompt_data.get("username") != request.user.username:
              ak_message("Not allowed to change username.")
              return False

      return True
  identifiers:
    name: default-user-settings-authorization
  id: default-user-settings-authorization
  model: authentik_policies_expression.expressionpolicy
- identifiers:
    name: default-user-settings-write
  attrs:
    user_creation_mode: never_create
  id: default-user-settings-write
  model: authentik_stages_user_write.userwritestage
- attrs:
    fields:
    - !KeyOf prompt-field-username
    - !KeyOf prompt-field-name
    - !KeyOf prompt-field-email
    - !KeyOf prompt-field-locale
    validation_policies:
    - !KeyOf default-user-settings-authorization
  identifiers:
    name: default-user-settings
  id: default-user-settings
  model: authentik_stages_prompt.promptstage
- identifiers:
    order: 20
    stage: !KeyOf default-user-settings
    target: !KeyOf flow
  model: authentik_flows.flowstagebinding
- identifiers:
    order: 100
    stage: !KeyOf default-user-settings-write
    target: !KeyOf flow
  model: authentik_flows.flowstagebinding