Introduce config to restrict user capabilities

2025-08-09 04:22:45 +03:00 · 2024-03-29 12:52:11 +01:00
parent 4d1b6aeded
commit 90080235da
5 changed files with 45 additions and 1 deletions
--- a/crates/cli/src/util.rs
+++ b/crates/cli/src/util.rs
@@ -135,6 +135,10 @@ pub fn site_config_from_config(
        password_login_enabled: password_config.enabled(),
        password_registration_enabled: password_config.enabled()
            && experimental_config.password_registration_enabled,
+        email_change_allowed: experimental_config.email_change_allowed,
+        displayname_change_allowed: experimental_config.displayname_change_allowed,
+        password_change_allowed: password_config.enabled()
+            && experimental_config.password_change_allowed,
    }
 }

--- a/crates/config/src/sections/experimental.rs
+++ b/crates/config/src/sections/experimental.rs
@@ -1,4 +1,4 @@
-// Copyright 2023 The Matrix.org Foundation C.I.C.
+// Copyright 2023, 2024 The Matrix.org Foundation C.I.C.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -40,6 +40,7 @@ const fn is_default_true(value: &bool) -> bool {
 ///
 /// Do not change these options unless you know what you are doing.
 #[serde_as]
+#[allow(clippy::struct_excessive_bools)]
 #[derive(Clone, Debug, Deserialize, JsonSchema, Serialize)]
 pub struct ExperimentalConfig {
    /// Time-to-live of access tokens in seconds. Defaults to 5 minutes.
@@ -65,6 +66,20 @@ pub struct ExperimentalConfig {
    /// if password authentication is enabled.
    #[serde(default = "default_true", skip_serializing_if = "is_default_true")]
    pub password_registration_enabled: bool,
+
+    /// Whether users are allowed to change their email addresses. Defaults to
+    /// `true`.
+    #[serde(default = "default_true", skip_serializing_if = "is_default_true")]
+    pub email_change_allowed: bool,
+
+    /// Whether users are allowed to change their display names. Defaults to
+    /// `true`.
+    #[serde(default = "default_true", skip_serializing_if = "is_default_true")]
+    pub displayname_change_allowed: bool,
+
+    /// Whether users are allowed to change their passwords. Defaults to `true`.
+    #[serde(default = "default_true", skip_serializing_if = "is_default_true")]
+    pub password_change_allowed: bool,
 }

 impl Default for ExperimentalConfig {
@@ -73,6 +88,9 @@ impl Default for ExperimentalConfig {
            access_token_ttl: default_token_ttl(),
            compat_token_ttl: default_token_ttl(),
            password_registration_enabled: default_true(),
+            email_change_allowed: default_true(),
+            displayname_change_allowed: default_true(),
+            password_change_allowed: default_true(),
        }
    }
 }
@@ -82,6 +100,9 @@ impl ExperimentalConfig {
        is_default_token_ttl(&self.access_token_ttl)
            && is_default_token_ttl(&self.compat_token_ttl)
            && is_default_true(&self.password_registration_enabled)
+            && is_default_true(&self.email_change_allowed)
+            && is_default_true(&self.displayname_change_allowed)
+            && is_default_true(&self.password_change_allowed)
    }
 }

--- a/crates/handlers/src/site_config.rs
+++ b/crates/handlers/src/site_config.rs
@@ -17,6 +17,7 @@ use mas_templates::{SiteBranding, SiteFeatures};
 use url::Url;

 /// Random site configuration we don't now where to put yet.
+#[allow(clippy::struct_excessive_bools)]
 #[derive(Debug, Clone)]
 pub struct SiteConfig {
    pub access_token_ttl: Duration,
@@ -27,6 +28,9 @@ pub struct SiteConfig {
    pub imprint: Option<String>,
    pub password_login_enabled: bool,
    pub password_registration_enabled: bool,
+    pub email_change_allowed: bool,
+    pub displayname_change_allowed: bool,
+    pub password_change_allowed: bool,
 }

 impl SiteConfig {
--- a/crates/handlers/src/test_utils.rs
+++ b/crates/handlers/src/test_utils.rs
@@ -129,6 +129,9 @@ pub fn test_site_config() -> SiteConfig {
        imprint: None,
        password_login_enabled: true,
        password_registration_enabled: true,
+        email_change_allowed: true,
+        displayname_change_allowed: true,
+        password_change_allowed: true,
    }
 }

--- a/docs/config.schema.json
+++ b/docs/config.schema.json
@@ -1970,6 +1970,18 @@
        "password_registration_enabled": {
          "description": "Whether to enable self-service password registration. Defaults to `true` if password authentication is enabled.",
          "type": "boolean"
+        },
+        "email_change_allowed": {
+          "description": "Whether users are allowed to change their email addresses. Defaults to `true`.",
+          "type": "boolean"
+        },
+        "displayname_change_allowed": {
+          "description": "Whether users are allowed to change their display names. Defaults to `true`.",
+          "type": "boolean"
+        },
+        "password_change_allowed": {
+          "description": "Whether users are allowed to change their passwords. Defaults to `true`.",
+          "type": "boolean"
        }
      }
    }