🐛 Bug Report: LDAP Users Unable to Update Language Settings Due to Update Restriction #247

New Issue

Closed

opened 2025-10-07 23:59:07 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-07 23:59:07 +03:00

Owner

Copy Link

Originally created by @Star-caorui on GitHub.

Originally assigned to: @kmendell on GitHub.

Reproduction steps

1. Enable LDAP functionality in the system configuration (LdapEnabled = true).
2. Login as an LDAP user (a user with LdapID set to a non-nil value).
3. Attempt to update the language setting (or any other personal information) via the /api/users/me endpoint (e.g., PUT /api/users/me with a payload updating the Locale field).
4. Observe the response.

Description

When an LDAP user attempts to update their language settings (or any personal information) through the /api/users/me endpoint, the operation fails with a 403 Forbidden error. The error message indicates that "LDAP users can't be updated," which prevents LDAP users from making even non-critical updates like changing their language preference.

This issue arises because the current implementation in user_service.go restricts all updates for LDAP users when LDAP is enabled, unless the update is performed via an LDAP sync operation. While this restriction might be intended to protect critical user data, it also blocks benign updates such as language preferences, which should ideally be allowed for LDAP users.

Relevant Code Location

The error is triggered at:

• Repository: pocket-id/pocket-id
• File: backend/internal/service/user_service.go#L296
• Context: The check in updateUserInternal disallows updates for LDAP users if the operation is not an LDAP sync and LDAP is enabled:

  if !isLdapSync && user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
      return model.User{}, &common.LdapUserUpdateError{}
  }
  

Expected behavior

• LDAP users should be allowed to update non-critical personal settings, such as language (Locale), even when LDAP is enabled.
• Alternatively, the system could differentiate between critical fields (e.g., Email, Username) and non-critical fields (e.g., Locale), allowing updates to the latter.

Actual Behavior

• The request fails with a 403 Forbidden status code.
• The error message in the logs is:

  [GIN] 2025/04/24 - 07:40:45 | 403 |   75.458866ms |      172.17.0.1 | PUT      "/api/users/me"
  Error #01: LDAP users can't be updated
  

Version and Environment

• Version: 0.49.0
• Setup: LDAP enabled. Change LDAP User's language
• LDAP Server: lldap 0.6.1

Log Output

[GIN] 2025/04/24 - 07:40:45 | 403 |   75.458866ms |      172.17.0.1 | PUT      "/api/users/me"
Error #01: LDAP users can't be updated

Originally created by @Star-caorui on GitHub. Originally assigned to: @kmendell on GitHub. ### Reproduction steps 1. Enable LDAP functionality in the system configuration (`LdapEnabled = true`). 2. Login as an LDAP user (a user with `LdapID` set to a non-nil value). 3. Attempt to update the language setting (or any other personal information) via the `/api/users/me` endpoint (e.g., `PUT /api/users/me` with a payload updating the `Locale` field). 4. Observe the response. #### Description When an LDAP user attempts to update their language settings (or any personal information) through the `/api/users/me` endpoint, the operation fails with a `403 Forbidden` error. The error message indicates that "LDAP users can't be updated," which prevents LDAP users from making even non-critical updates like changing their language preference. This issue arises because the current implementation in `user_service.go` restricts all updates for LDAP users when LDAP is enabled, unless the update is performed via an LDAP sync operation. While this restriction might be intended to protect critical user data, it also blocks benign updates such as language preferences, which should ideally be allowed for LDAP users. #### Relevant Code Location The error is triggered at: - Repository: [pocket-id/pocket-id](https://github.com/pocket-id/pocket-id) - File: [backend/internal/service/user_service.go#L296](https://github.com/pocket-id/pocket-id/blob/8e66af627a1aa4241e5c36b0301bbb45597f0830/backend/internal/service/user_service.go#L296) - Context: The check in `updateUserInternal` disallows updates for LDAP users if the operation is not an LDAP sync and LDAP is enabled: ```go if !isLdapSync && user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue() { return model.User{}, &common.LdapUserUpdateError{} } ``` ### Expected behavior - LDAP users should be allowed to update non-critical personal settings, such as language (`Locale`), even when LDAP is enabled. - Alternatively, the system could differentiate between critical fields (e.g., `Email`, `Username`) and non-critical fields (e.g., `Locale`), allowing updates to the latter. ### Actual Behavior - The request fails with a `403 Forbidden` status code. - The error message in the logs is: ``` [GIN] 2025/04/24 - 07:40:45 | 403 | 75.458866ms | 172.17.0.1 | PUT "/api/users/me" Error #01: LDAP users can't be updated ``` ### Version and Environment - **Version**: 0.49.0 - **Setup**: LDAP enabled. Change LDAP User's language - **LDAP Server**: [lldap](https://github.com/lldap/lldap/) 0.6.1 ### Log Output ``` [GIN] 2025/04/24 - 07:40:45 | 403 | 75.458866ms | 172.17.0.1 | PUT "/api/users/me" Error #01: LDAP users can't be updated ```

OVERLORD added the bug label 2025-10-07 23:59:07 +03:00

OVERLORD closed this issue 2025-10-07 23:59:08 +03:00

OVERLORD commented 2025-10-07 23:59:10 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Thanks for reporting this. This should be fixed in v0.51.1.

@stonith404 commented on GitHub: Thanks for reporting this. This should be fixed in `v0.51.1`.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#247