Add Permission for changing profile / settings

[Spenhouet]

• Gitea version (or commit ref): 1.5.1

Description

We would like to create users that don't have permission to change their profile or settings.

We create the profile via API and it should not be changed!

The users should not be able to add a full name, profile picture or to show the email on their profile. All of that is considered highly sensible data and no other user in any circumstance should be able to see this information, therefore users should not have permission to enter, share or change these things in the first place.

[lafriks]

Like all settings (including keys etc)?

[Spenhouet]

Like all settings (including keys etc)?

Yes. Do you see a problem with that?

In our scenario the users without this permission would get all necessary information automated via API or via an administrator.

[lafriks]

That will render 2FA, U2F, OpenID, GPG, SSH keys, app tokens pretty much useless. Also with no way for user to change password.

[Spenhouet]

An user in our use case is not a user of the platform. An user in our use case only got provided with a account and a single repository. The user doesn't interact more with the platform than opening the repository directly per link, reading the README and working on the repository via Git. After that user made some changes and finished the work this user will get deleted or deactivated. Everything is automated via API. We don't want an user to change anything at all. The user should only use the password provided to him.

But not to get side tracked. The main issue for us is that information like profile picture, full name or email address are highly sensitive and any of these three leaking out between different users could have legal consequences for us. Therefore if we create an user with no profile picture, no full name and hidden email address the user should not be able to change that. To realize that the main idea was to completely deactivate all profile settings.