UI: Allow org admin to hide change email and change password

[gagantrivedi]

Organizations using LDAP don't need the "Change Email" and "Change Password" UI elements.

[matthewelwell]

We need to determine if the fact that LDAP auth is used is surfaced anywhere for the FE.

Edit: yes - the UI can use the auth_type attribute returned on the /users/me endpoint.

[matthewelwell]

Also, this would likely be helpful in scenarios where a user authentication is OAuth.

[matthewelwell]

This might need some further thought. I'm not entirely certain that preventing OAuth users from changing their email address is correct.

Let's take a scenario here:

1. A user ([email protected]) authenticates with OAuth - a user account is created, and the ID from the OAuth provider is stored against the user
2. The user changes their email address (to [email protected])

In this case:

1. The next time they try to authenticate with the original OAuth method, a new account will be created
2. If they re-authenticate with the same OAuth method, but with the new email address, the ID from the OAuth provider will be updated

So maybe, what we should do is to re-add the ability to change your email as an OAuth user, but we should clear the ID from the OAuth provider when an email changes?

[khvn26]

we should clear the ID from the OAuth provider when an email changes

As long as we're not doing it silently, I'm in favour of this option.

[matthewelwell]

The change here did not fully resolve this issue since changing one's email requires the user's password. OAuth users will likely not have a password set so we need to find another workflow for this.