[identities ldap] add a read-only mode, which still allow to modify roles and disabled flag

authentic/admin/identities.ptl

@@ -31,8 +31,10 @@ class IdentityObjectUI:
         form = Form(enctype='multipart/form-data')
         form.keep_referer()
 
-        for field in identities.get_store_class().fields:
-            field.add_to_form(form, identity = self.identity, admin = True)
+        store = identities.get_store()
+        if not getattr(store, 'ldap_read_only', False):
+            for field in identities.get_store_class().fields:
+                field.add_to_form(form, identity = self.identity, admin = True)
 
         form.add(WidgetList, 'roles', title = _('Roles'), element_type = SingleSelectWidget,
                 value = self.identity.roles, add_element_label = _('Add Role'),
@@ -40,13 +42,14 @@ class IdentityObjectUI:
                 str('options'): [ (identities.ROLE_NONE, '---'),
                 (identities.ROLE_ADMIN, _('Administrator'))]})
 
-        for account in self.identity.accounts or []:
-            if len(self.identity.accounts) > 1:
-                form.widgets.append(HtmlWidget(
-                            htmltext('<fieldset><legend>%s</legend>') % account.type()))
-            PasswordAccountObjectUI(account).edit_form_ui(form)
-            if len(self.identity.accounts) > 1:
-                form.widgets.append(HtmlWidget(htmltext('</fieldset>')))
+        if not getattr(store, 'ldap_read_only', False):
+            for account in self.identity.accounts or []:
+                if len(self.identity.accounts) > 1:
+                    form.widgets.append(HtmlWidget(
+                                htmltext('<fieldset><legend>%s</legend>') % account.type()))
+                PasswordAccountObjectUI(account).edit_form_ui(form)
+                if len(self.identity.accounts) > 1:
+                    form.widgets.append(HtmlWidget(htmltext('</fieldset>')))
 
         form.add(CheckboxWidget, 'disabled', title = _('Disabled'),
                 value = self.identity.disabled)
@@ -245,6 +248,7 @@ class IdentitiesDirectory(Directory):
         proxied_identity_origin_keys = {}
 
         def identity_li [html] (identity):
+            store = identities.get_store()
             if identity.disabled:
                 '<li class="disabled">'
             else:
@@ -267,8 +271,9 @@ class IdentitiesDirectory(Directory):
             '<p class="commands">'
             command_icon('%s/' % urllib.quote(identity.id), 'view')
             command_icon('%s/edit' % identity.id, 'edit')
-            if hasattr(identities.get_store(), str('remove')):
-                command_icon('%s/delete' % identity.id, 'remove')
+            if not getattr(store, str('ldap_read_only'), False):
+                if hasattr(identities.get_store(), str('remove')):
+                    command_icon('%s/delete' % identity.id, 'remove')
             if debug_cfg.get('logger', True):
                 command_icon('../logger/by_identity/%s/' % identity.id, 'logs',
                         label = _('Logs'), icon = 'stock_harddisk_16.png')

authentic/identities.py

@@ -582,7 +582,7 @@ class IdentitiesStoreLdap(BaseIdentitiesStore):
             'ldap_bind_dn', 'ldap_bind_password', 'ldap_object_class',
             'ldap_object_uid', 'ldap_object_name', 'ldap_object_email',
             'ldap_big_directory', 'ldap_published_attributes',
-            'ldap_field_mapping')
+            'ldap_field_mapping','ldap_read_only')
     default_field_mapping = { 'email': 'mail', 'name': 'cn' }
 
     ldap_object_name = None
@@ -960,6 +960,9 @@ class IdentitiesStoreLdap(BaseIdentitiesStore):
         mini.resource_id = identity.resource_id
         mini.store()
 
+        if self.ldap_read_only:
+            return False
+
         # Save LDAP stored data, administrative bind, because we do not have the
         # session password. How to access session variables ? Is get_session()
         # acceptable ?
@@ -1067,6 +1070,8 @@ class IdentitiesStoreLdap(BaseIdentitiesStore):
         form.add(StringWidget, 'ldap_url', title = _('LDAP URL'), required = True,
                 hint = htmltext(_('Example: <tt>ldap://directory.example.com</tt>')),
                 value = data_source.get('ldap_url', ''))
+        form.add(CheckboxWidget, 'ldap_read_only', title=_('LDAP is Read only'), required=False,
+                value = data_source.get('ldap_read_only',False))
         form.add(StringWidget, 'ldap_base', title = _('LDAP Base'), required = True,
                 hint = htmltext(_('Example: <tt>dc=example, dc=com</tt>')),
                 value = data_source.get('ldap_base', ''))