core: add USER_ATTRIBUTE_CHANGE_EMAIL

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #1590 and #1677
2021-10-27 11:54:19 +02:00
parent 9c0bc78ca0
commit 971de4fcb9
4 changed files with 32 additions and 9 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -45,6 +45,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
 from authentik.core.models import (
+    USER_ATTRIBUTE_CHANGE_EMAIL,
    USER_ATTRIBUTE_CHANGE_USERNAME,
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
@ -122,6 +123,14 @@ class UserSelfSerializer(ModelSerializer):
                "pk": group.pk,
            }

+    def validate_email(self, email: str):
+        """Check if the user is allowed to change their email"""
+        if self.instance.group_attributes().get(USER_ATTRIBUTE_CHANGE_EMAIL, True):
+            return email
+        if email != self.instance.email:
+            raise ValidationError("Not allowed to change email.")
+        return email
+
    def validate_username(self, username: str):
        """Check if the user is allowed to change their username"""
        if self.instance.group_attributes().get(USER_ATTRIBUTE_CHANGE_USERNAME, True):
@ -320,13 +329,14 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    # pylint: disable=invalid-name
    def me(self, request: Request) -> Response:
        """Get information about current user"""
-        serializer = SessionUserSerializer(data={"user": UserSelfSerializer(request.user).data})
+        serializer = SessionUserSerializer(
+            data={"user": UserSelfSerializer(instance=request.user).data}
+        )
        if SESSION_IMPERSONATE_USER in request._request.session:
            serializer.initial_data["original"] = UserSelfSerializer(
-                request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
+                instance=request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
            ).data
-        serializer.is_valid()
-        return Response(serializer.data)
+        return Response(serializer.initial_data)

    @extend_schema(request=UserSelfSerializer, responses={200: SessionUserSerializer(many=False)})
    @action(
@ -346,9 +356,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        # since it caches the full object
        if SESSION_IMPERSONATE_USER in request.session:
            request.session[SESSION_IMPERSONATE_USER] = new_user
-        serializer = SessionUserSerializer(data={"user": data.data})
-        serializer.is_valid()
-        return Response(serializer.data)
+        return Response({"user": data.data})

    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
    @extend_schema(responses={200: UserMetricsSerializer(many=False)})