diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py index e6f05a62f..cb09f0f05 100644 --- a/authentik/core/api/users.py +++ b/authentik/core/api/users.py @@ -55,6 +55,7 @@ from authentik.core.models import ( User, ) from authentik.events.models import EventAction +from authentik.lib.config import CONFIG from authentik.stages.email.models import EmailStage from authentik.stages.email.tasks import send_mails from authentik.stages.email.utils import TemplateEmailMessage @@ -125,7 +126,9 @@ class UserSelfSerializer(ModelSerializer): def validate_email(self, email: str): """Check if the user is allowed to change their email""" - if self.instance.group_attributes().get(USER_ATTRIBUTE_CHANGE_EMAIL, True): + if self.instance.group_attributes().get( + USER_ATTRIBUTE_CHANGE_EMAIL, CONFIG.y_bool("default_user_change_email", True) + ): return email if email != self.instance.email: raise ValidationError("Not allowed to change email.") @@ -133,7 +136,9 @@ class UserSelfSerializer(ModelSerializer): def validate_username(self, username: str): """Check if the user is allowed to change their username""" - if self.instance.group_attributes().get(USER_ATTRIBUTE_CHANGE_USERNAME, True): + if self.instance.group_attributes().get( + USER_ATTRIBUTE_CHANGE_USERNAME, CONFIG.y_bool("default_user_change_username", True) + ): return username if username != self.instance.username: raise ValidationError("Not allowed to change username.") diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml index d1488b6aa..e3310b989 100644 --- a/authentik/lib/default.yml +++ b/authentik/lib/default.yml @@ -78,3 +78,6 @@ footer_links: href: https://goauthentik.io/docs/?utm_source=authentik - name: authentik Website href: https://goauthentik.io/?utm_source=authentik + +default_user_change_email: true +default_user_change_username: true diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md index 30a3c3e8c..bef22847e 100644 --- a/website/docs/installation/configuration.md +++ b/website/docs/installation/configuration.md @@ -149,6 +149,22 @@ Configure how authentik should show avatars for users. Following values can be s - `%(mail_hash)s`: The email address, md5 hashed - `%(upn)s`: The user's UPN, if set (otherwise an empty string) +### AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL + +:::info +Requires authentik 2021.10.5 +::: + +Enable the ability for users to change their Email address, defaults to `true`. + +### AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME + +:::info +Requires authentik 2021.10.5 +::: + +Enable the ability for users to change their Usernames, defaults to `true`. + ## Debugging To check if your config has been applied correctly, you can run the following command to output the full config: