Implement #90 - allow self write to name, displayname, and legalname. (#105)

* Implement #90 - allow self write to name, displayname, and legalname. This is an important aspect to respecting peoples autonomy and identities so that they can change their name when appropriate to them. Limit self read/write to live accounts, and prevent anonymous self-write
2025-02-23 12:37:00 +01:00 · 2019-09-27 09:57:53 +10:00 · 2019-09-27 09:57:53 +10:00 · 879095c450
parent 4f85883c32
commit 879095c450
2 changed files with 25 additions and 1 deletions
--- a/kanidmd/src/lib/constants.rs
+++ b/kanidmd/src/lib/constants.rs
@ -332,7 +332,7 @@ pub static JSON_IDM_SELF_ACP_READ_V1: &'static str = r#"{
        "description": ["Builtin IDM Control for self read - required for whoami and many other functions."],
        "acp_enable": ["true"],
        "acp_receiver": [
-            "\"Self\""
+            "{\"And\": [\"Self\", {\"AndNot\": {\"Or\": [{\"Eq\": [\"class\", \"tombstone\"]}, {\"Eq\": [\"class\", \"recycled\"]}]}}]}"
        ],
        "acp_targetscope": [
            "\"Self\""
@ -349,6 +349,29 @@ pub static JSON_IDM_SELF_ACP_READ_V1: &'static str = r#"{
    }
 }"#;

+pub static _UUID_IDM_SELF_ACP_WRITE_V1: &'static str = "00000000-0000-0000-0000-ffffff000021";
+pub static JSON_IDM_SELF_ACP_WRITE_V1: &'static str = r#"{
+    "attrs": {
+        "class": ["object", "access_control_profile", "access_control_modify"],
+        "name": ["idm_self_acp_write"],
+        "uuid": ["00000000-0000-0000-0000-ffffff000021"],
+        "description": ["Builtin IDM Control for self write - required for people to update their own identities in line with best practices."],
+        "acp_enable": ["true"],
+        "acp_receiver": [
+            "{\"And\": [\"Self\", {\"AndNot\": {\"Or\": [{\"Eq\": [\"class\", \"tombstone\"]}, {\"Eq\": [\"class\", \"recycled\"]}, {\"Eq\": [\"uuid\", \"00000000-0000-0000-0000-ffffffffffff\"]}]}}]}"
+        ],
+        "acp_targetscope": [
+            "\"Self\""
+        ],
+        "acp_modify_removedattr": [
+            "name", "displayname", "legalname"
+        ],
+        "acp_modify_presentattr": [
+            "name", "displayname", "legalname"
+        ]
+    }
+}"#;
+
 /*
 pub static _UUID_IDM_ADMINS_ACP_MANAGE_V1: &'static str = "00000000-0000-0000-0000-ffffff000005";
 pub static JSON_IDM_ADMINS_ACP_MANAGE_V1: &'static str = r#"{
--- a/kanidmd/src/lib/server.rs
+++ b/kanidmd/src/lib/server.rs
@ -1601,6 +1601,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
            // JSON_IDM_ADMINS_ACP_MANAGE_V1,
            JSON_IDM_ALL_ACP_READ_V1,
            JSON_IDM_SELF_ACP_READ_V1,
+            JSON_IDM_SELF_ACP_WRITE_V1,
            JSON_IDM_ACP_PEOPLE_READ_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_WRITE_PRIV_V1,
            JSON_IDM_ACP_GROUP_WRITE_PRIV_V1,