[Feature] Block user edit values given by OpenID #26
Comments
|
Hi! You can disable allowing changing the user's name by adding this to the config Nextcloud doesn't provide any way to disable changing other attributes in my knowledge, and that would pretty much be out of scope for this plugin. Keeping this open nonetheless in case anyone has any suggestions. |
pulsejet
added
PR or won't happen
|
As a temporary kludge, couldn't one just hide UI controls in question with |
|
@yrammos I can't recommend that unless the administrator is doing it at their own risk. If a plugin hides an input, it is easy to assume that the changes will be server side validated - anything otherwise would classify as a security risk. |
|
@pulsejet I agree with you, hence "temporary kludge"… As far as I know, the LDAP plugin does what @Zocker1999NET is asking about — maybe worth taking a look in that direction? Using OpenID without a centralized repository of account info seems to me inherently problematic. |
|
Hi, I'm wondering how to disable the password change from under the security settings for users. I've followed various issues and it seems as if this is the correct way: |
|
Yep, we use either the default user backend or the LDAP backend depending on configuration. I have no idea how we could tell the backend to disallow password change. Also note a user may want to be able to login with the password as well as OIDC, maybe unless the user was created with OIDC. Don't think we can handle that case anyway. |
|
Okay, thanks for confirming. In my case users are handled entirely by OIDC and the users should not deal with credentials inside Nextcloud. I think I'm going to hide the password login and the password change forms via CSS until a cleaner solution comes up. They don't work anyway and just create confusion. |
|
Please do comment what exact solution you use for others' benefit. |
|
Well, one rudimentary but workable solution would be to inject the following via the "Custom CSS" textbox, under "Administration > Theming." #security-password {
display: none;
}
#two-factor-auth {
display: none;
}
#security-webauthn {
display: none;
}I don't see any substantial security implications but would welcome any thoughts on how this hack could pose an actual threat, even if a malicious user discovered it. |
|
Hmm, maybe I didn't check properly which attributes the OP was referring to, but if you're hiding only the user's private security parameters here then it indeed should not be an issue. In that case I'd accept a PR to add this functionality to the plugin (with a clear warning that we don't do server side validation, just so that administrators don't rely in any way on the user passwords). |
Awesome!
I don't have a test environment, so that'll take time. I'll get to it though.
Documentation. Basically this needs to be configurable (and default to being turned off), and the config option in the README must have this warning. |
Implement #26: 'Block user edit values given by OpenID.'
|
Fixed by #60 |
After I got a running Keycloak and Nextcloud connection, I saw that the login attributes where also mapped correctly, which is really great, but nextcloud still allows the user to edit these values. Also this app does not allow disabling changing password or two-factor authentication for the user. Changes to attributes like name or mail (if given by Keycloak) will be discard on the next login, which could potentially confuse users.
I want to remove these abilities from Nextcloud because the user should manage their credentials and information only on Keycloak.
The text was updated successfully, but these errors were encountered: