core: add user flag to prevent users from changing their usernames

closes #1590

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

website/docs/expressions/_functions.md

@@ -32,7 +32,7 @@ return ak_is_group_member(request.user, name="test_group")
 
 Fetch a user matching `**filters`.
 
-Returns "None" if no user was found, otherwise [User](/docs/expressions/reference/user-object)
+Returns "None" if no user was found, otherwise [User](/docs/user-group/user)
 
 Example:
 

website/docs/policies/expression.mdx

@@ -53,7 +53,7 @@ import Objects from '../expressions/_objects.md'
 <Objects />
 
 - `request`: A PolicyRequest object, which has the following properties:
-    - `request.user`: The current user, against which the policy is applied. See [User](../expressions/reference/user-object.md)
+    - `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes)
     - `request.http_request`: The Django HTTP Request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects))
     - `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
     - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
@@ -75,7 +75,7 @@ This includes the following:
 
 - `context['prompt_data']`: Data which has been saved from a prompt stage or an external source.
 - `context['application']`: The application the user is in the process of authorizing.
-- `context['pending_user']`: The currently pending user, see [User](/docs/expressions/reference/user-object)
+- `context['pending_user']`: The currently pending user, see [User](../user-group/user.md#object-attributes)
 - `context['auth_method']`: Authentication method set (this value is set by password stages)
 
     Depending on method, `context['auth_method_args']` is also set.

website/docs/property-mappings/expression.mdx

@@ -17,6 +17,6 @@ import Objects from '../expressions/_objects.md'
 
 <Objects />
 
-- `user`: The current user. This may be `None` if there is no contextual user. See ([User](../expressions/reference/user-object.md))
+- `user`: The current user. This may be `None` if there is no contextual user. See ([User](../user-group/user.md#object-attributes))
 - `request`: The current request. This may be `None` if there is no contextual request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects))
 - Other arbitrary arguments given by the provider, this is documented on the Provider/Source.

website/docs/user-group/user.md

@@ -1,7 +1,23 @@
 ---
-title: User Object
+title: User
 ---
 
+## Attributes
+
+### `goauthentik.io/user/can-change-username`
+
+Optional flag, when set to false prevents the user from changing their own username.
+
+### `goauthentik.io/user/token-expires`:
+
+Optional flag, when set to false, Tokens created by the user will not expire.
+
+### `goauthentik.io/user/debug`:
+
+See [Troubleshooting access problems](../troubleshooting/access.md), when set, the user gets a more detailed explanation of access decisions.
+
+## Object attributes
+
 The User object has the following attributes:
 
 - `username`: User's username.
@@ -11,8 +27,8 @@ The User object has the following attributes:
 - `is_active` Boolean field if user is active.
 - `date_joined` Date user joined/was created.
 - `password_change_date` Date password was last changed.
-- `attributes` Dynamic attributes.
-- `group_attributes` Merged attributes of all groups the user is member of and the user's own attributes.
+- `attributes` Dynamic attributes, see above
+- `group_attributes()` Merged attributes of all groups the user is member of and the user's own attributes.
 - `ak_groups` This is a queryset of all the user's groups.
 
     You can do additional filtering like