disable password change for LDAP backend without user_can_change_password (fixes #20731)

src/authentic2/backends/ldap_backend.py

@@ -182,7 +182,7 @@ class LDAPUser(get_user_model()):
             self.set_unusable_password()
 
     def has_usable_password(self):
-        return self.block['user_can_change_password']
+        return True
 
     def get_connection(self):
         ldap_password = self.get_password_in_session()
@@ -210,6 +210,9 @@ class LDAPUser(get_user_model()):
     def can_reset_password(self):
         return self.block['can_reset_password']
 
+    def can_change_password(self):
+        return app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD and self.block['user_can_change_password']
+
 
 class LDAPBackend(object):
     _DEFAULTS = {

src/authentic2/custom_user/models.py

@@ -252,3 +252,6 @@ class User(AbstractBaseUser, PermissionMixin):
 
     def can_reset_password(self):
         return self.has_usable_password()
+
+    def can_change_password(self):
+        return app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD

src/authentic2/profile_urls.py

@@ -27,6 +27,9 @@ def password_change_view(request, *args, **kwargs):
         post_change_redirect = request.GET[REDIRECT_FIELD_NAME]
     elif post_change_redirect is None:
         post_change_redirect = reverse('account_management')
+    if not request.user.can_change_password():
+        messages.warning(request, _('Password change is forbidden'))
+        return redirect(request, post_change_redirect)
     if 'cancel' in request.POST:
         return redirect(request, post_change_redirect)
     kwargs['post_change_redirect'] = post_change_redirect

src/authentic2/templates/authentic2/login_password_profile.html

@@ -1,12 +1,12 @@
 {% load i18n %}
 
-{% if can_change_password %}
+{% if user.can_change_password %}
 <h4>{% trans "Password" %}</h4>
 
 <div>
   <p>
     <a href="{% url 'password_change' %}">
-      {% if has_usable_password %}
+      {% if user.has_usable_password %}
         {% trans "Change your password" %}
       {% else %}
         {% trans "Set your password" %}

src/authentic2/views.py

@@ -507,7 +507,8 @@ class ProfileView(cbv.TemplateNamesMixin, TemplateView):
             'allow_account_deletion': app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT,
             'allow_profile_edit': EditProfile.can_edit_profile(),
             'allow_email_change': app_settings.A2_PROFILE_CAN_CHANGE_EMAIL,
-            'allow_password_change': app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD,
+            # TODO: deprecated should be removed when publik-base-theme is updated
+            'allow_password_change': request.user.can_change_password(),
             'federation_management': federation_management,
         })
         hooks.call_hooks('modify_context_data', self, context_instance)

tests/test_ldap.py

@@ -528,3 +528,25 @@ def test_reset_password_ldap_user(slapd, settings, app, db):
     with pytest.raises(ldap.INVALID_CREDENTIALS):
         slapd.get_connection().bind_s(DN, PASS)
     assert not User.objects.get().has_usable_password()
+
+
+def test_user_cannot_change_password(slapd, settings, app, db):
+    settings.LDAP_AUTH_SETTINGS = [{
+        'url': [slapd.ldap_url],
+        'binddn': slapd.root_bind_dn,
+        'bindpw': slapd.root_bind_password,
+        'basedn': 'o=orga',
+        'use_tls': False,
+        'user_can_change_password': False,
+    }]
+    User = get_user_model()
+    assert User.objects.count() == 0
+    # first login
+    response = app.get('/login/')
+    response.form['username'] = USERNAME
+    response.form['password'] = PASS
+    response = response.form.submit('login-password-submit').follow()
+    response = response.click('Your account')
+    assert 'Password' not in response
+    response = app.get('/accounts/password/change/')
+    assert response['Location'].endswith('/accounts/')