From 7ae3f187bdc6d9cef30b590d2649f793f9b5f6f9 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Thu, 5 Dec 2019 09:12:59 +0100
Subject: [PATCH 1/2] RoleForm: Add new app permission
 `no-user/password-change`

---
 application/forms/Security/RoleForm.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/application/forms/Security/RoleForm.php b/application/forms/Security/RoleForm.php
index 0f7c7a1d2..86cb8c815 100644
--- a/application/forms/Security/RoleForm.php
+++ b/application/forms/Security/RoleForm.php
@@ -43,6 +43,10 @@ class RoleForm extends RepositoryForm
         $view = $this->getView();
 
         $this->providedPermissions['application'] = [
+            $helper->filterName('no-user/password-change') => [
+                'name'          => 'no-user/password-change',
+                'description'   => $this->translate('Prohibit password changes in the account preferences')
+            ],
             $helper->filterName('application/share/navigation') => [
                 'name'          => 'application/share/navigation',
                 'description'   => $this->translate('Allow to share navigation items')

From 67cc81e49f710e6e3386ff25d3a10578681e2cee Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Thu, 5 Dec 2019 09:13:34 +0100
Subject: [PATCH 2/2] AccountController: Prohibit password changes for users
 with `no-user/password-change`

---
 application/controllers/AccountController.php | 24 ++++++++++---------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/application/controllers/AccountController.php b/application/controllers/AccountController.php
index 154270bea..de1faf153 100644
--- a/application/controllers/AccountController.php
+++ b/application/controllers/AccountController.php
@@ -43,17 +43,19 @@ class AccountController extends Controller
         $config = Config::app()->getSection('global');
         $user = $this->Auth()->getUser();
         if ($user->getAdditional('backend_type') === 'db') {
-            try {
-                $userBackend = UserBackend::create($user->getAdditional('backend_name'));
-            } catch (ConfigurationError $e) {
-                $userBackend = null;
-            }
-            if ($userBackend !== null) {
-                $changePasswordForm = new ChangePasswordForm();
-                $changePasswordForm
-                    ->setBackend($userBackend)
-                    ->handleRequest();
-                $this->view->changePasswordForm = $changePasswordForm;
+            if ($user->can('*') || ! $user->can('no-user/password-change')) {
+                try {
+                    $userBackend = UserBackend::create($user->getAdditional('backend_name'));
+                } catch (ConfigurationError $e) {
+                    $userBackend = null;
+                }
+                if ($userBackend !== null) {
+                    $changePasswordForm = new ChangePasswordForm();
+                    $changePasswordForm
+                        ->setBackend($userBackend)
+                        ->handleRequest();
+                    $this->view->changePasswordForm = $changePasswordForm;
+                }
             }
         }