fix(frontend): disable self password change if passwordProfile is rea…

…d-only Fixes: owncloud/enterprise#6849
owncloud · Aug 20, 2024 · 346ae88 · 346ae88
1 parent 47ea3e8
commit 346ae88
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/changelog/unreleased/fix_capability_disable_self_password_change.md b/changelog/unreleased/fix_capability_disable_self_password_change.md
@@ -0,0 +1,7 @@
+Bugfix: Set capability response `disable_self_password_change` correctly
+
+The capability value `disable_self_password_change` was not being set correctly
+when `user.passwordProfile` is configured as a read-only attribute.
+
+https://github.com/owncloud/ocis/pull/9853
+https://github.com/owncloud/enterprise/issues/6849
diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"strconv"
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/capabilities"
@@ -81,6 +82,11 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 		readOnlyUserAttributes = cfg.ReadOnlyUserAttributes
 	}
 
+	changePasswordDisabled := !cfg.LDAPServerWriteEnabled
+	if slices.Contains(readOnlyUserAttributes, "user.passwordProfile") {
+		changePasswordDisabled = true
+	}
+
 	return map[string]interface{}{
 		"shared": map[string]interface{}{
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
@@ -218,7 +224,7 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 									"read_only_attributes":          readOnlyUserAttributes,
 									"create_disabled":               !cfg.LDAPServerWriteEnabled,
 									"delete_disabled":               !cfg.LDAPServerWriteEnabled,
-									"change_password_self_disabled": !cfg.LDAPServerWriteEnabled,
+									"change_password_self_disabled": changePasswordDisabled,
 								},
 							},
 							"checksums": map[string]interface{}{