🐛 Bug Report: LDAP Users Unable to Update Language Settings Due to Update Restriction #222

New Issue

AtHeartEngineer · 2025-07-08T08:42:48-04:00

AtHeartEngineer commented

2025-07-08 08:42:48 -04:00

Originally created by @Star-caorui on 4/24/2025

Reproduction steps

Enable LDAP functionality in the system configuration (LdapEnabled = true).
Login as an LDAP user (a user with LdapID set to a non-nil value).
Attempt to update the language setting (or any other personal information) via the /api/users/me endpoint (e.g., PUT /api/users/me with a payload updating the Locale field).
Observe the response.

Description

When an LDAP user attempts to update their language settings (or any personal information) through the /api/users/me endpoint, the operation fails with a 403 Forbidden error. The error message indicates that "LDAP users can't be updated," which prevents LDAP users from making even non-critical updates like changing their language preference.

This issue arises because the current implementation in user_service.go restricts all updates for LDAP users when LDAP is enabled, unless the update is performed via an LDAP sync operation. While this restriction might be intended to protect critical user data, it also blocks benign updates such as language preferences, which should ideally be allowed for LDAP users.

Relevant Code Location

The error is triggered at:

Repository: pocket-id/pocket-id
File: backend/internal/service/user_service.go#L296

Context: The check in updateUserInternal disallows updates for LDAP users if the operation is not an LDAP sync and LDAP is enabled:

if !isLdapSync && user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
    return model.User{}, &common.LdapUserUpdateError{}
}

Expected behavior

LDAP users should be allowed to update non-critical personal settings, such as language (Locale), even when LDAP is enabled.
Alternatively, the system could differentiate between critical fields (e.g., Email, Username) and non-critical fields (e.g., Locale), allowing updates to the latter.

Actual Behavior

The request fails with a 403 Forbidden status code.

The error message in the logs is:

[GIN] 2025/04/24 - 07:40:45 | 403 |   75.458866ms |      172.17.0.1 | PUT      "/api/users/me"
Error #01: LDAP users can't be updated

Version and Environment

Version: 0.49.0
Setup: LDAP enabled. Change LDAP User's language
LDAP Server: lldap 0.6.1

Log Output

[GIN] 2025/04/24 - 07:40:45 | 403 |   75.458866ms |      172.17.0.1 | PUT      "/api/users/me"
Error #01: LDAP users can't be updated

*Originally created by @Star-caorui on 4/24/2025* ### Reproduction steps 1. Enable LDAP functionality in the system configuration (`LdapEnabled = true`). 2. Login as an LDAP user (a user with `LdapID` set to a non-nil value). 3. Attempt to update the language setting (or any other personal information) via the `/api/users/me` endpoint (e.g., `PUT /api/users/me` with a payload updating the `Locale` field). 4. Observe the response. #### Description When an LDAP user attempts to update their language settings (or any personal information) through the `/api/users/me` endpoint, the operation fails with a `403 Forbidden` error. The error message indicates that "LDAP users can't be updated," which prevents LDAP users from making even non-critical updates like changing their language preference. This issue arises because the current implementation in `user_service.go` restricts all updates for LDAP users when LDAP is enabled, unless the update is performed via an LDAP sync operation. While this restriction might be intended to protect critical user data, it also blocks benign updates such as language preferences, which should ideally be allowed for LDAP users. #### Relevant Code Location The error is triggered at: - Repository: [pocket-id/pocket-id](https://github.com/pocket-id/pocket-id) - File: [backend/internal/service/user_service.go#L296](https://github.com/pocket-id/pocket-id/blob/8e66af627a1aa4241e5c36b0301bbb45597f0830/backend/internal/service/user_service.go#L296) - Context: The check in `updateUserInternal` disallows updates for LDAP users if the operation is not an LDAP sync and LDAP is enabled: ```go if !isLdapSync && user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue() { return model.User{}, &common.LdapUserUpdateError{} } ``` ### Expected behavior - LDAP users should be allowed to update non-critical personal settings, such as language (`Locale`), even when LDAP is enabled. - Alternatively, the system could differentiate between critical fields (e.g., `Email`, `Username`) and non-critical fields (e.g., `Locale`), allowing updates to the latter. ### Actual Behavior - The request fails with a `403 Forbidden` status code. - The error message in the logs is: ``` [GIN] 2025/04/24 - 07:40:45 | 403 | 75.458866ms | 172.17.0.1 | PUT "/api/users/me" Error #01: LDAP users can't be updated ``` ### Version and Environment - **Version**: 0.49.0 - **Setup**: LDAP enabled. Change LDAP User's language - **LDAP Server**: [lldap](https://github.com/lldap/lldap/) 0.6.1 ### Log Output ``` [GIN] 2025/04/24 - 07:40:45 | 403 | 75.458866ms | 172.17.0.1 | PUT "/api/users/me" Error #01: LDAP users can't be updated ```

AtHeartEngineer closed this issue

2025-07-08 08:42:48 -04:00

AtHeartEngineer added the bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug labels 2025-07-08 08:42:50 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/pocket-id#222