Prevent editing of account-details

[demlak]

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

Disable editing of account details

Hi.. i use bookstack in a school and since we use OpenID as auth_method, i want to disable editing some settings in the personal profile: changing name, activating 2FA, deleting account and changing avatar.
Similar to #3156

Since the only setting that will be left, is language-change, but it is absolutly OK to do without language-change.. so, maybe, we could do without the my-account-page at all.

i don't know, what is the best solution on this..

i see:

• editing server-config to not access /my-account anymore. I don't know, if this will break other things
• custom-CSS for hiding the navigation-entry to get there. This will be kind of security by obscurity
• change page via logical-theme system by replacing code or by hooking into the save-dialog, like in [Support Request]: Disable profile page for users with social login #3156, if i understand it correctly
• change php in Bookstack-source-code to not give access at all.. this is obviously a bad idea for updating bookstack

What would be a good / the best Solution?

thx
demlak

Exact BookStack Version

v24.12.1

Log Content

No response

Hosting Environment

Bookstack in an LXC installed via helper-scripts.com on a proxmox.

[ssddanbrown]

Hi @demlak,

Personally I'd probably go with the webserver approach, since that should be most simple.
Note though, URLs for things could change in the future but no options here are safe to future changes, since this isn't something officially supported.

I don't know, if this will break other things

The only other things I can think of is that shortcut and notification preferences are also on the my-account path.
If you want to allow those, you'd need to get a bit more selective/targeted.
A full list of the routes/methods using my-account can be seen here:

BookStack/routes/web.php

Lines 252 to 263 in dca14fe

	// User Account
	Route::get('/my-account', [UserControllers\UserAccountController::class, 'redirect']);
	Route::get('/my-account/profile', [UserControllers\UserAccountController::class, 'showProfile']);
	Route::put('/my-account/profile', [UserControllers\UserAccountController::class, 'updateProfile']);
	Route::get('/my-account/shortcuts', [UserControllers\UserAccountController::class, 'showShortcuts']);
	Route::put('/my-account/shortcuts', [UserControllers\UserAccountController::class, 'updateShortcuts']);
	Route::get('/my-account/notifications', [UserControllers\UserAccountController::class, 'showNotifications']);
	Route::put('/my-account/notifications', [UserControllers\UserAccountController::class, 'updateNotifications']);
	Route::get('/my-account/auth', [UserControllers\UserAccountController::class, 'showAuth']);
	Route::put('/my-account/auth/password', [UserControllers\UserAccountController::class, 'updatePassword']);
	Route::get('/my-account/delete', [UserControllers\UserAccountController::class, 'delete']);
	Route::delete('/my-account', [UserControllers\UserAccountController::class, 'destroy']);

[demlak]

hmm.. i tried several things inside /.htaccess file to redirect /my-account to /.. but i was not successfull.. maybe you can help?

[ssddanbrown]

@demlak .htaccess files are rarely used and best avoided.

Your apache webserver config for BookStack should be found at /etc/apache2/sites-available/bookstack.conf, Add config/options in there.