From c63d53f0ed85d3cdb511e5d808509df62f5169a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89loi=20Rivard?= <eloi.rivard@aquilenet.fr>
Date: Thu, 26 Nov 2020 15:29:14 +0100
Subject: [PATCH] Profile editable fields are configurable

---
 canaille/account.py                           |  54 +++++-----
 canaille/conf/config.sample.toml              |  13 +++
 canaille/forms.py                             |  60 ++++++-----
 canaille/templates/profile.html               |  31 ++++--
 .../translations/fr/LC_MESSAGES/messages.mo   | Bin 12272 -> 12357 bytes
 .../translations/fr/LC_MESSAGES/messages.po   |  94 ++++++++++--------
 canaille/translations/messages.pot            |  92 +++++++++--------
 demo/conf/canaille.toml                       |  13 +++
 demo/ldif/bootstrap.ldif                      |   3 +
 tests/conftest.py                             |   9 ++
 tests/test_profile.py                         |  29 +++---
 11 files changed, 245 insertions(+), 153 deletions(-)

diff --git a/canaille/account.py b/canaille/account.py
index 6d7ba4cd..388ef1da 100644
--- a/canaille/account.py
+++ b/canaille/account.py
@@ -15,9 +15,9 @@ from flask_babel import gettext as _
 
 from .forms import (
     LoginForm,
-    ProfileForm,
     PasswordResetForm,
     ForgottenPasswordForm,
+    profile_form,
 )
 from .apputils import base64logo, send_email
 from .flaskutils import current_user, user_needed, moderator_needed
@@ -151,10 +151,11 @@ def users(user):
 @bp.route("/profile", methods=("GET", "POST"))
 @moderator_needed()
 def profile_creation(user):
-    claims = current_app.config["JWT"]["MAPPING"]
-    form = ProfileForm(request.form or None)
+    form = profile_form(current_app.config["LDAP"]["FIELDS"])
+    form.process(request.form or None)
     try:
-        del form.sub.render_kw["readonly"]
+        if "uid" in form:
+            del form["uid"].render_kw["readonly"]
     except KeyError:
         pass
 
@@ -165,14 +166,14 @@ def profile_creation(user):
         else:
             user = User(objectClass=current_app.config["LDAP"]["USER_CLASS"])
             for attribute in form:
-                model_attribute_name = claims.get(attribute.name.upper())
-                if (
-                    not model_attribute_name
-                    or model_attribute_name not in user.must + user.may
-                ):
-                    continue
+                if attribute.name in user.may + user.must:
+                    if user.attr_type_by_name()[attribute.name].single_value:
+                        user[attribute.name] = attribute.data
+                    else:
+                        user[attribute.name] = [attribute.data]
 
-                user[model_attribute_name] = [attribute.data]
+            if not form["password1"].data or user.set_password(form["password1"].data):
+                flash(_("Profile updated successfuly."), "success")
 
             user.cn = [f"{user.givenName[0]} {user.sn[0]}"]
             user.save()
@@ -204,18 +205,20 @@ def profile_edition(user, username):
 
 def profile_edit(user, username):
     menuitem = "profile" if username == user.uid[0] else "users"
-    claims = current_app.config["JWT"]["MAPPING"]
+    fields = current_app.config["LDAP"]["FIELDS"]
     if username != user.uid[0]:
         user = User.get(username) or abort(404)
 
     data = {
-        k.lower(): getattr(user, v)[0]
-        if getattr(user, v) and isinstance(getattr(user, v), list)
-        else getattr(user, v) or ""
-        for k, v in claims.items()
+        k: getattr(user, k)[0]
+        if getattr(user, k) and isinstance(getattr(user, k), list)
+        else getattr(user, k) or ""
+        for k in fields
+        if hasattr(user, k)
     }
-    form = ProfileForm(request.form or None, data=data)
-    form.sub.render_kw["readonly"] = "true"
+    form = profile_form(fields)
+    form.process(request.form or None, data=data)
+    form["uid"].render_kw["readonly"] = "true"
 
     if request.form:
         if not form.validate():
@@ -223,16 +226,13 @@ def profile_edit(user, username):
 
         else:
             for attribute in form:
-                model_attribute_name = claims.get(attribute.name.upper())
-                if (
-                    not model_attribute_name
-                    or model_attribute_name not in user.must + user.may
-                ):
-                    continue
+                if attribute.name in user.may + user.must:
+                    if user.attr_type_by_name()[attribute.name].single_value:
+                        user[attribute.name] = attribute.data
+                    else:
+                        user[attribute.name] = [attribute.data]
 
-                user[model_attribute_name] = [attribute.data]
-
-            if not form.password1.data or user.set_password(form.password1.data):
+            if not form["password1"].data or user.set_password(form["password1"].data):
                 flash(_("Profile updated successfuly."), "success")
 
             user.save()
diff --git a/canaille/conf/config.sample.toml b/canaille/conf/config.sample.toml
index 1f855325..119f20c0 100644
--- a/canaille/conf/config.sample.toml
+++ b/canaille/conf/config.sample.toml
@@ -54,6 +54,19 @@ ADMIN_FILTER = "memberof=cn=admins,ou=groups,dc=mydomain,dc=tld"
 # USER_ADMIN_FILTER = "uid=moderator"
 USER_ADMIN_FILTER = "memberof=cn=moderators,ou=groups,dc=mydomain,dc=tld"
 
+# The list of ldap fields you want to be editable by the
+# users.
+FIELDS = [
+  "uid",
+  "mail",
+  "givenName",
+  "sn",
+  "userPassword",
+  "telephoneNumber",
+  "employeeNumber",
+# "photo",
+]
+
 # The jwt configuration. You can generate a RSA keypair with:
 # ssh-keygen -t rsa -b 4096 -m PEM -f private.pem
 # openssl rsa -in private.pem -pubout -outform PEM -out public.pem
diff --git a/canaille/forms.py b/canaille/forms.py
index dbd025c0..93aa80d3 100644
--- a/canaille/forms.py
+++ b/canaille/forms.py
@@ -1,4 +1,5 @@
 import wtforms
+import wtforms.form
 from flask_babel import lazy_gettext as _
 from flask_wtf import FlaskForm
 
@@ -46,35 +47,30 @@ class PasswordResetForm(FlaskForm):
     )
 
 
-class ProfileForm(FlaskForm):
-    sub = wtforms.StringField(
+PROFILE_FORM_FIELDS = dict(
+    uid=wtforms.StringField(
         _("Username"),
         render_kw={"placeholder": _("jdoe")},
         validators=[wtforms.validators.DataRequired()],
-    )
-    #    name = wtforms.StringField(_("Name"))
-    given_name = wtforms.StringField(
+    ),
+    cn=wtforms.StringField(_("Name")),
+    givenName=wtforms.StringField(
         _("Given name"),
         render_kw={
             "placeholder": _("John"),
             "spellcheck": "false",
             "autocorrect": "off",
         },
-    )
-    family_name = wtforms.StringField(
+    ),
+    sn=wtforms.StringField(
         _("Family Name"),
         render_kw={
             "placeholder": _("Doe"),
             "spellcheck": "false",
             "autocorrect": "off",
         },
-    )
-    #    preferred_username = wtforms.StringField(_("Preferred username"))
-    #    gender = wtforms.StringField(_("Gender"))
-    #    birthdate = wtforms.DateField(_("Birth date"))
-    #    zoneinfo = wtforms.StringField(_("Zoneinfo"))
-    #    locale = wtforms.StringField(_("Language"))
-    email = wtforms.EmailField(
+    ),
+    mail=wtforms.EmailField(
         _("Email address"),
         validators=[wtforms.validators.DataRequired(), wtforms.validators.Email()],
         render_kw={
@@ -82,22 +78,38 @@ class ProfileForm(FlaskForm):
             "spellcheck": "false",
             "autocorrect": "off",
         },
-    )
-    #    address = wtforms.StringField(_("Address"))
-    phone_number = wtforms.TelField(
+    ),
+    telephoneNumber=wtforms.TelField(
         _("Phone number"), render_kw={"placeholder": _("555-000-555")}
-    )
-    #    picture = wtforms.StringField(_("Photo"))
-    #    website = wtforms.URLField(_("Website"))
-    password1 = wtforms.PasswordField(
+    ),
+    photo=wtforms.StringField(_("Photo")),
+    password1=wtforms.PasswordField(
         _("Password"),
         validators=[wtforms.validators.Optional(), wtforms.validators.Length(min=8)],
-    )
-    password2 = wtforms.PasswordField(
+    ),
+    password2=wtforms.PasswordField(
         _("Password confirmation"),
         validators=[
             wtforms.validators.EqualTo(
                 "password1", message=_("Password and confirmation do not match.")
             )
         ],
-    )
+    ),
+    employeeNumber=wtforms.StringField(
+        _("Number"),
+        render_kw={
+            "placeholder": _("1234"),
+        },
+    ),
+)
+
+
+def profile_form(field_names):
+    if "userPassword" in field_names:
+        field_names += ["password1", "password2"]
+    fields = {
+        name: PROFILE_FORM_FIELDS.get(name)
+        for name in field_names
+        if PROFILE_FORM_FIELDS.get(name)
+    }
+    return wtforms.form.BaseForm(fields)
diff --git a/canaille/templates/profile.html b/canaille/templates/profile.html
index 025e1191..a8259f94 100644
--- a/canaille/templates/profile.html
+++ b/canaille/templates/profile.html
@@ -56,21 +56,36 @@
       class="ui form"
       >
 
-        {{ sui.render_field(form.csrf_token) }}
+        {#{ sui.render_field(form.csrf_token) }#}
 
         <h4 class="ui dividing header">{% trans %}Personal information{% endtrans %}</h4>
         <div class="two fields">
-            {{ sui.render_field(form.given_name) }}
-            {{ sui.render_field(form.family_name) }}
+            {% if "givenName" in form %}
+                {{ sui.render_field(form.givenName) }}
+            {% endif %}
+            {% if "sn" in form %}
+                {{ sui.render_field(form.sn) }}
+            {% endif %}
         </div>
-        {{ sui.render_field(form.email) }}
-        {{ sui.render_field(form.phone_number) }}
+        {% if "mail" in form %}
+            {{ sui.render_field(form.mail) }}
+        {% endif %}
+        {% if "telephoneNumber" in form %}
+            {{ sui.render_field(form.telephoneNumber) }}
+        {% endif %}
+        {% if "employeeNumber" in form %}
+            {{ sui.render_field(form.employeeNumber) }}
+        {% endif %}
 
         <h4 class="ui dividing header">{% trans %}Account information{% endtrans %}</h4>
-        {{ sui.render_field(form.sub) }}
+        {% if "uid" in form %}
+            {{ sui.render_field(form.uid) }}
+        {% endif %}
         <div class="two fields">
-            {{ sui.render_field(form.password1) }}
-            {{ sui.render_field(form.password2) }}
+            {% if "password1" in form %}
+                {{ sui.render_field(form.password1) }}
+                {{ sui.render_field(form.password2) }}
+            {% endif %}
         </div>
 
         <button type="submit" class="ui right floated primary button" name="action" value="edit" id="edit">
diff --git a/canaille/translations/fr/LC_MESSAGES/messages.mo b/canaille/translations/fr/LC_MESSAGES/messages.mo
index e598bda9e7dacfc0cfdebeba084edacacb2215f2..2f46552f1ac036307ef29f6cb6e13e50d8550272 100644
GIT binary patch
delta 2432
zcmYM#e@vBC9LMqR<;T5%fOX|}ffp4n3Mv<nh(>AyYs1J5v(`TrXtR}FVqu%EZcdiv
zN~?>;)*l*L!Caem7qr!2jk#utI`EHl3vJ~bScd&k{?V-W$LF+|@H*!_&pGG&{hsG}
zoZEcr>DY8I<)HC%fZu!h?MqSb|DVisv!Kr`3r{l~$}oF`{w(U&+Dx-~*nlr!Gj`%h
z%*Na-Ge0iD1z3q(ven2EF<b97><Qe(g${fLr%?-UVihgW;d~C~)9=CnzK*H*rt9y=
zF#SWAhNIYs-@5BbOje>9Sj_$wrcup6i*pBRflsjz&!IM&K?QOX@5WomKg+nwt3(kJ
zvn|AAT<*prZoD2BGT!Xmf~o9pz3zs6sEqra$1q6$1S+6$RHoOF(%DVa{eL6LSsGC#
zVLl$iB2>x8kkhj%R3bm30=$Ybo#BkTa0AQf|B2eDnB6OJF>1rdP$hi|wQ;8#kD}Ju
zi8|XDs#0&G0*j;O4WJS^j=4A$r2hFdW*AtCKEhSWD^U|$FoYX12Yc{g+=tp|5*6rW
zRDf4e>&>CgIE_g<k}_v4YTdQY4LQ_bk!@x`3vEM1{vs-)9xTS4sM7Ug9v(qeU<9eY
zjpGbnaO0z-r~AJ{-8YF8)uxeKY!2_i)EKKpXq2KNZg+N}Zg>Zqa0nm7YpAEWoHUo?
zGpN81U=bcfC2#_D#v{(JP!$_PRpbm3gT*e<U`?BI7Xk%dgt@57EJJNji&WL_ch?_9
zE!cr27)71!eyqn~)U)&(YF-ZKx(q9j)3$b`5;1$027B8s)PiwT>5t$id}uz#Zd^|}
zeqwx#GIi1ah;z|>LEb5yX+HL1IlhI*Q5miZd5N^5Dzp)G6j9XkXS>}%AHHX7ihbBn
z>fJbjI?Kzb(q2Oae8Y|V7kL%RM!jY^sLV@HrEbC1*p6B!j*Ia_T*>}6M&lv;-C4uc
z8u~q`w_*^r@g!=4i>Q+Rj0)s0)WY+ZcpK)U?k_`)SD`YlL#?+C%diV$I^#n$<Y81P
z2T>c0pq|$6u>!BS>*>ta!Ud?OJA}%#3X`xA&tntnq0Xip3cM2any$iRTvJZ{6=^dA
zI{Q|v#3xY;_oANucTpLfb>mlD|5wz4w^0kGhrL9yPyyzl=9Qq<uf_&!LIt)XO#Sur
z#u>N|KSz$$W}TU&T}OWf@*G+x>NR{7_11iisW^p9v5Oc&A9YqDi%^wpLp}8!sP%hL
zfqf98p^^`w7WxwXIEn#0g;d=pP#OGzyixWKYF+{Flr{)stIzBKROR-vyNsjWg2Sl$
zzQ7QkMtxsmvo!P}@mF~n)}cz%hI(C|#}<6Uc?Q?e4>C#f+WDivccbp#i%MVsbtFU1
z&rttco<vpR8zhIAU7$hL>^5rS@Cq-&W}HWVD`w(Ls0?01W%NE~;UF^AhOrfY!CI_d
z=^gDB)I+=nb(H<6Px=JrX~*j{h{Tery>EFHs`O3OiA!lqlT#u!wRMT4%*Xxyww~=B
zTe}mRf^EK(ZPAybiGc-Sf1o}Ti8R(l;^zxX|7$0175<QNXX4RwC20ZXjSqE46KBhZ
OeW@Gn%-mD4J@7Aill7|r

delta 2396
zcmZA2e@vBC9LMo5f)KythbTr0SCe1Cz1(}1#M_`UTO|?|RJJvdku^3FW|%Z_&)Qg}
zwK7W6ves6XRx;bQT20rIA@v7~bk1BQS>mV`NNpBdN$*ehY;E0feLd&g^PKbje$ROx
z2i9F|^3G-_>@+^l@SV@MJ3+1gKHpwpmK|sI9ezRg#bmQvX@8PpmP$K5&8!VGum!tu
z7JiS3IDxbA67pv$>3lIare}+|*g}UNH{$`+#0!~46ZoA=F@yGXn1r=B6B}InJ}jo)
zjKpf&FoM1A_aRh*r*HxOhC%bpGMP0<$Bn27HsY1|GHRj2s6dWj7WN~5c8Y&gtWhLp
z`x)c$PuKsK>yOJcE1*BaS%C_?9@AOh?&d-nw>aA|oAwq|K+mFX_z+dPBdGC%ND_7u
zXW$R`CXS*?zMW{<Eqe`>$bM9ShfskZMo&L{%taA?hFWM0%WxdEU>?z^q=l%31E~H8
zYNDG_d%Fr1(7mYf526xi$2s^C=Hfvt#er<<uToFYp&OG4+lTWo2bbe5cspu=U8sfM
zKuy$#+SB8xE%?zniJEWPIg7~@&;nF~MW`(;&!PUxU<n;M6ji8-+=Fv*Eh^(pNLB4|
z{0Vzqe>Z7q{8OlLJCLH;USx>%;Z@j=Asj&koW<la;Blb=wOEZ0VGZs>o!;~4#{$w-
z<aL;b4X6w@p!Rf=^D$JVwxTMs9a+<MBU4$Q>mNV`=$+(3r5QslFo{&n{%`|Q=fx)U
zVLttS)Sj-!Yq1k`cHTwZcLJ}$3&^fo7W=D(79&&Ia#VnKB9-@SEf;U`LTSN`m_j+u
zF<>k8>7d=jzGyFpS-l5Ga2r0rGo{SNQ3)jYVwFipZ9xetfQW0?;q$bc@I{=&EIt2E
zER5~pZd6HMM@9O!>;Dv0nL$j(AymevQ6;{N*JIkE*gUK8YTAuhfnB%)_d9>VFzo<?
zN?G5UxzNH-qZa5zm2xjCkVB|L_Bm?7Vbu7uu74Dj@vm5l(^!b5i({3kcdkKIvKcjh
z2YT9@9xh67j~j3dwcuB%Q+)=t@F>o}-*Ff(p-%B2t10mFsK;|0<8cZV=-;S4PoQjN
zn1!0Rx`_Jg)Za#jGI-Mcu*bFcp(gwYHQ_PTULSYAe~Fs-99H2tDxhLcs1EB&T!t;k
zF4-&2qqvmzNHO*2+*uCk*I)qkm^_S(u^#l{d#K2VP^Ftf9j<iht%-f81XiF*+=w%=
z1rxCqlduCRnsuQ9f7RoHC&k`D-Pn)+K1Ns@$76&lRhZRf4eHddLXBI8KI}xjM|Pqg
z-$x}jf~v?A>b)_yoYysmoZe<GZlL2R>c-2c$jfQyhA=9FI@A_4I@cio!P)(&O0*%d
znuip}4xko3fj*qTRLl&-GM|qm;8`gb%BULCu>l!t%~*@i;S&4?wWk?8Q#!N()E?f1
zdUbc9wr&?Hkb|gK_Gwh<$Iw!I|NBJqljp=otI`@1qc3FF#YHd7E=;Vb^o1%T;mWdL
zC>Tt+quzhl`bS$IX>H%&U)kKbKH>`p!$E&2<PXQjEsI9-zD|hd7EC8a^NT--i=HWI
GOZo@(WBPUg

diff --git a/canaille/translations/fr/LC_MESSAGES/messages.po b/canaille/translations/fr/LC_MESSAGES/messages.po
index 2c4482f5..b6c5f63a 100644
--- a/canaille/translations/fr/LC_MESSAGES/messages.po
+++ b/canaille/translations/fr/LC_MESSAGES/messages.po
@@ -8,8 +8,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PROJECT VERSION\n"
 "Report-Msgid-Bugs-To: contact@yaal.fr\n"
-"POT-Creation-Date: 2020-11-25 15:25+0100\n"
-"PO-Revision-Date: 2020-11-25 15:27+0100\n"
+"POT-Creation-Date: 2020-11-26 11:41+0100\n"
+"PO-Revision-Date: 2020-11-26 11:41+0100\n"
 "Last-Translator: Éloi Rivard <eloi@yaal.fr>\n"
 "Language: fr_FR\n"
 "Language-Team: French - France <equipe@yaal.fr>\n"
@@ -20,29 +20,29 @@ msgstr ""
 "Generated-By: Babel 2.8.1\n"
 "X-Generator: Gtranslator 3.38.0\n"
 
-#: canaille/account.py:61 canaille/oauth.py:58
+#: canaille/account.py:60 canaille/oauth.py:58
 msgid "Login failed, please check your information"
 msgstr "La connexion a échoué, veuillez vérifier vos informations."
 
-#: canaille/account.py:64
+#: canaille/account.py:63
 #, python-format
 msgid "Connection successful. Welcome %(user)s"
 msgstr "Connexion réussie. Bienvenue %(user)s"
 
-#: canaille/account.py:75
+#: canaille/account.py:74
 #, python-format
 msgid "You have been disconnected. See you next time %(user)s"
 msgstr "Vous avez été déconnectés. À bientôt %(user)s"
 
-#: canaille/account.py:92
+#: canaille/account.py:91
 msgid "Could not send the password initialization link."
 msgstr "Impossible d'envoyer le courriel d'initialisation de mot de passe."
 
-#: canaille/account.py:106
+#: canaille/account.py:105
 msgid "Password initialization on {website_name}"
 msgstr "Initialisation de votre mot de passe sur {website_name}"
 
-#: canaille/account.py:134
+#: canaille/account.py:133
 msgid ""
 "A password initialization link has been sent at your email address. You "
 "should receive it within 10 minutes."
@@ -50,7 +50,7 @@ msgstr ""
 "Un lien d'initialisation de votre mot de passe vous a été envoyé par mail. "
 "Vous devriez le recevoir d'ici une dizaine de minutes."
 
-#: canaille/account.py:140
+#: canaille/account.py:139
 msgid "Could not send the password initialization email"
 msgstr "Impossible d'envoyer le courriel d'initialisation de mot de passe."
 
@@ -62,24 +62,24 @@ msgstr "La création de l'utilisateur a échoué."
 msgid "User creation succeed."
 msgstr "La création de l'utilisateur a réussi."
 
-#: canaille/account.py:223
+#: canaille/account.py:224
 msgid "Profile edition failed."
 msgstr "L'édition du profil a échoué."
 
-#: canaille/account.py:237
+#: canaille/account.py:238
 msgid "Profile updated successfuly."
 msgstr "Le profil a été mis à jour avec succès."
 
-#: canaille/account.py:253
+#: canaille/account.py:254
 #, python-format
 msgid "The user %(user)s has been sucessfuly deleted"
 msgstr "L'utilisateur %(user)s a bien été supprimé"
 
-#: canaille/account.py:276
+#: canaille/account.py:277
 msgid "Could not send the password reset link."
 msgstr "Impossible d'envoyer le lien de réinitialisation."
 
-#: canaille/account.py:283 canaille/account.py:329
+#: canaille/account.py:284 canaille/account.py:330
 msgid ""
 "A password reset link has been sent at your email address. You should "
 "receive it within 10 minutes."
@@ -87,19 +87,19 @@ msgstr ""
 "Un lien de ré-initialisation de votre mot de passe vous a été envoyé par "
 "mail. Vous devriez le recevoir d'ici une dizaine de minutes."
 
-#: canaille/account.py:301
+#: canaille/account.py:302
 msgid "Password reset on {website_name}"
 msgstr "Réinitialisation du mot de passe sur {website_name}"
 
-#: canaille/account.py:335
+#: canaille/account.py:336
 msgid "Could not reset your password"
 msgstr "Impossible de réinitialiser votre mot de passe"
 
-#: canaille/account.py:349
+#: canaille/account.py:350
 msgid "The password reset link that brought you here was invalid."
 msgstr "Le lien de réinitialisation qui vous a amené ici est invalide."
 
-#: canaille/account.py:358
+#: canaille/account.py:359
 msgid "Your password has been updated successfuly"
 msgstr "Votre mot de passe a correctement été mis à jour."
 
@@ -111,63 +111,80 @@ msgstr "Impossible de supprimer cet accès."
 msgid "The access has been revoked"
 msgstr "L'accès a été révoqué."
 
-#: canaille/forms.py:8 canaille/forms.py:25
+#: canaille/forms.py:9 canaille/forms.py:26
 msgid "Login"
 msgstr "Identifiant"
 
-#: canaille/forms.py:11 canaille/forms.py:28 canaille/forms.py:81
+#: canaille/forms.py:12 canaille/forms.py:29 canaille/forms.py:77
 msgid "jane@doe.com"
 msgstr "martin@dupont.fr"
 
-#: canaille/forms.py:18 canaille/forms.py:37 canaille/forms.py:100
-#: canaille/forms.py:110
+#: canaille/forms.py:19 canaille/forms.py:38 canaille/forms.py:87
 msgid "Password"
 msgstr "Mot de passe"
 
-#: canaille/forms.py:40 canaille/forms.py:104 canaille/forms.py:117
+#: canaille/forms.py:41 canaille/forms.py:91
 msgid "Password confirmation"
 msgstr "Confirmation du mot de passe"
 
-#: canaille/forms.py:43 canaille/forms.py:95
+#: canaille/forms.py:44 canaille/forms.py:94
 msgid "Password and confirmation do not match."
 msgstr "Le mot de passe et sa confirmation ne correspondent pas."
 
-#: canaille/forms.py:51
+#: canaille/forms.py:52
 msgid "Username"
 msgstr "Identifiant"
 
-#: canaille/forms.py:52
+#: canaille/forms.py:53
 msgid "jdoe"
 msgstr "mdupont"
 
-#: canaille/forms.py:57
+#: canaille/admin/clients.py:23 canaille/forms.py:56
+#: canaille/templates/admin/client_list.html:25
+#: canaille/templates/users.html:22
+msgid "Name"
+msgstr "Nom"
+
+#: canaille/forms.py:58
 msgid "Given name"
 msgstr "Prénom"
 
-#: canaille/forms.py:59
+#: canaille/forms.py:60
 msgid "John"
 msgstr "Martin"
 
-#: canaille/forms.py:65
+#: canaille/forms.py:66
 msgid "Family Name"
 msgstr "Nom de famille"
 
-#: canaille/forms.py:67
+#: canaille/forms.py:68
 msgid "Doe"
 msgstr "Dupont"
 
-#: canaille/forms.py:78
+#: canaille/forms.py:74
 msgid "Email address"
 msgstr "Courriel"
 
-#: canaille/forms.py:88 canaille/templates/users.html:24
+#: canaille/forms.py:83 canaille/templates/users.html:24
 msgid "Phone number"
 msgstr "Numéro de téléphone"
 
-#: canaille/forms.py:88
+#: canaille/forms.py:83
 msgid "555-000-555"
 msgstr "06 01 02 03 04"
 
+#: canaille/forms.py:85
+msgid "Photo"
+msgstr "Photo"
+
+#: canaille/forms.py:99
+msgid "Number"
+msgstr "Numéro"
+
+#: canaille/forms.py:101
+msgid "1234"
+msgstr "1234"
+
 #: canaille/oauth.py:25
 msgid "Personnal information about yourself, such as your name or your gender."
 msgstr "Vos informations personnelles, comme votre nom ou votre genre."
@@ -188,11 +205,6 @@ msgstr "Votre numéro de téléphone."
 msgid "You have been successfully logged out."
 msgstr "Vous avez été déconnectés."
 
-#: canaille/admin/clients.py:23 canaille/templates/admin/client_list.html:25
-#: canaille/templates/users.html:22
-msgid "Name"
-msgstr "Nom"
-
 #: canaille/admin/clients.py:28
 msgid "Contact"
 msgstr "Contact"
@@ -451,7 +463,7 @@ msgstr ""
 "        "
 
 #: canaille/templates/forgotten-password.html:36
-#: canaille/templates/profile.html:77
+#: canaille/templates/profile.html:89
 msgid "Send"
 msgstr "Envoyer"
 
@@ -514,11 +526,11 @@ msgstr "Éditez les informations d'un utilisateur"
 msgid "Personal information"
 msgstr "Informations personnelles"
 
-#: canaille/templates/profile.html:69
+#: canaille/templates/profile.html:77
 msgid "Account information"
 msgstr "Informations sur le compte"
 
-#: canaille/templates/profile.html:81
+#: canaille/templates/profile.html:93
 msgid "Delete the user"
 msgstr "Supprimer l'utilisateur"
 
diff --git a/canaille/translations/messages.pot b/canaille/translations/messages.pot
index 580052d1..8050cf73 100644
--- a/canaille/translations/messages.pot
+++ b/canaille/translations/messages.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PROJECT VERSION\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2020-11-25 15:25+0100\n"
+"POT-Creation-Date: 2020-11-26 11:41+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -17,35 +17,35 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Generated-By: Babel 2.8.1\n"
 
-#: canaille/account.py:61 canaille/oauth.py:58
+#: canaille/account.py:60 canaille/oauth.py:58
 msgid "Login failed, please check your information"
 msgstr ""
 
-#: canaille/account.py:64
+#: canaille/account.py:63
 #, python-format
 msgid "Connection successful. Welcome %(user)s"
 msgstr ""
 
-#: canaille/account.py:75
+#: canaille/account.py:74
 #, python-format
 msgid "You have been disconnected. See you next time %(user)s"
 msgstr ""
 
-#: canaille/account.py:92
+#: canaille/account.py:91
 msgid "Could not send the password initialization link."
 msgstr ""
 
-#: canaille/account.py:106
+#: canaille/account.py:105
 msgid "Password initialization on {website_name}"
 msgstr ""
 
-#: canaille/account.py:134
+#: canaille/account.py:133
 msgid ""
 "A password initialization link has been sent at your email address. You "
 "should receive it within 10 minutes."
 msgstr ""
 
-#: canaille/account.py:140
+#: canaille/account.py:139
 msgid "Could not send the password initialization email"
 msgstr ""
 
@@ -57,42 +57,42 @@ msgstr ""
 msgid "User creation succeed."
 msgstr ""
 
-#: canaille/account.py:223
+#: canaille/account.py:224
 msgid "Profile edition failed."
 msgstr ""
 
-#: canaille/account.py:237
+#: canaille/account.py:238
 msgid "Profile updated successfuly."
 msgstr ""
 
-#: canaille/account.py:253
+#: canaille/account.py:254
 #, python-format
 msgid "The user %(user)s has been sucessfuly deleted"
 msgstr ""
 
-#: canaille/account.py:276
+#: canaille/account.py:277
 msgid "Could not send the password reset link."
 msgstr ""
 
-#: canaille/account.py:283 canaille/account.py:329
+#: canaille/account.py:284 canaille/account.py:330
 msgid ""
 "A password reset link has been sent at your email address. You should "
 "receive it within 10 minutes."
 msgstr ""
 
-#: canaille/account.py:301
+#: canaille/account.py:302
 msgid "Password reset on {website_name}"
 msgstr ""
 
-#: canaille/account.py:335
+#: canaille/account.py:336
 msgid "Could not reset your password"
 msgstr ""
 
-#: canaille/account.py:349
+#: canaille/account.py:350
 msgid "The password reset link that brought you here was invalid."
 msgstr ""
 
-#: canaille/account.py:358
+#: canaille/account.py:359
 msgid "Your password has been updated successfuly"
 msgstr ""
 
@@ -104,63 +104,80 @@ msgstr ""
 msgid "The access has been revoked"
 msgstr ""
 
-#: canaille/forms.py:8 canaille/forms.py:25
+#: canaille/forms.py:9 canaille/forms.py:26
 msgid "Login"
 msgstr ""
 
-#: canaille/forms.py:11 canaille/forms.py:28 canaille/forms.py:81
+#: canaille/forms.py:12 canaille/forms.py:29 canaille/forms.py:77
 msgid "jane@doe.com"
 msgstr ""
 
-#: canaille/forms.py:18 canaille/forms.py:37 canaille/forms.py:100
-#: canaille/forms.py:110
+#: canaille/forms.py:19 canaille/forms.py:38 canaille/forms.py:87
 msgid "Password"
 msgstr ""
 
-#: canaille/forms.py:40 canaille/forms.py:104 canaille/forms.py:117
+#: canaille/forms.py:41 canaille/forms.py:91
 msgid "Password confirmation"
 msgstr ""
 
-#: canaille/forms.py:43 canaille/forms.py:95
+#: canaille/forms.py:44 canaille/forms.py:94
 msgid "Password and confirmation do not match."
 msgstr ""
 
-#: canaille/forms.py:51
+#: canaille/forms.py:52
 msgid "Username"
 msgstr ""
 
-#: canaille/forms.py:52
+#: canaille/forms.py:53
 msgid "jdoe"
 msgstr ""
 
-#: canaille/forms.py:57
+#: canaille/admin/clients.py:23 canaille/forms.py:56
+#: canaille/templates/admin/client_list.html:25
+#: canaille/templates/users.html:22
+msgid "Name"
+msgstr ""
+
+#: canaille/forms.py:58
 msgid "Given name"
 msgstr ""
 
-#: canaille/forms.py:59
+#: canaille/forms.py:60
 msgid "John"
 msgstr ""
 
-#: canaille/forms.py:65
+#: canaille/forms.py:66
 msgid "Family Name"
 msgstr ""
 
-#: canaille/forms.py:67
+#: canaille/forms.py:68
 msgid "Doe"
 msgstr ""
 
-#: canaille/forms.py:78
+#: canaille/forms.py:74
 msgid "Email address"
 msgstr ""
 
-#: canaille/forms.py:88 canaille/templates/users.html:24
+#: canaille/forms.py:83 canaille/templates/users.html:24
 msgid "Phone number"
 msgstr ""
 
-#: canaille/forms.py:88
+#: canaille/forms.py:83
 msgid "555-000-555"
 msgstr ""
 
+#: canaille/forms.py:85
+msgid "Photo"
+msgstr ""
+
+#: canaille/forms.py:99
+msgid "Number"
+msgstr ""
+
+#: canaille/forms.py:101
+msgid "1234"
+msgstr ""
+
 #: canaille/oauth.py:25
 msgid "Personnal information about yourself, such as your name or your gender."
 msgstr ""
@@ -181,11 +198,6 @@ msgstr ""
 msgid "You have been successfully logged out."
 msgstr ""
 
-#: canaille/admin/clients.py:23 canaille/templates/admin/client_list.html:25
-#: canaille/templates/users.html:22
-msgid "Name"
-msgstr ""
-
 #: canaille/admin/clients.py:28
 msgid "Contact"
 msgstr ""
@@ -428,7 +440,7 @@ msgid ""
 msgstr ""
 
 #: canaille/templates/forgotten-password.html:36
-#: canaille/templates/profile.html:77
+#: canaille/templates/profile.html:89
 msgid "Send"
 msgstr ""
 
@@ -489,11 +501,11 @@ msgstr ""
 msgid "Personal information"
 msgstr ""
 
-#: canaille/templates/profile.html:69
+#: canaille/templates/profile.html:77
 msgid "Account information"
 msgstr ""
 
-#: canaille/templates/profile.html:81
+#: canaille/templates/profile.html:93
 msgid "Delete the user"
 msgstr ""
 
diff --git a/demo/conf/canaille.toml b/demo/conf/canaille.toml
index 1eef9984..5dee5988 100644
--- a/demo/conf/canaille.toml
+++ b/demo/conf/canaille.toml
@@ -54,6 +54,19 @@ ADMIN_FILTER = "memberof=cn=admins,ou=groups,dc=mydomain,dc=tld"
 # USER_ADMIN_FILTER = "uid=moderator"
 USER_ADMIN_FILTER = "memberof=cn=moderators,ou=groups,dc=mydomain,dc=tld"
 
+# The list of ldap fields you want to be editable by the
+# users.
+FIELDS = [
+  "uid",
+  "mail",
+  "givenName",
+  "sn",
+  "userPassword",
+  "telephoneNumber",
+  "employeeNumber",
+# "photo",
+]
+
 # The jwt configuration. You can generate a RSA keypair with:
 # ssh-keygen -t rsa -b 4096 -m PEM -f private.pem
 # openssl rsa -in private.pem -pubout -outform PEM -out public.pem
diff --git a/demo/ldif/bootstrap.ldif b/demo/ldif/bootstrap.ldif
index 73830d15..ca26a75a 100644
--- a/demo/ldif/bootstrap.ldif
+++ b/demo/ldif/bootstrap.ldif
@@ -31,6 +31,7 @@ sn: Doe
 uid: admin
 mail: admin@mydomain.tld
 telephoneNumber: 555-000-000
+employeeNumber: 1000
 userPassword: {SSHA}7zQVLckaEc6cJEsS0ylVipvb2PAR/4tS
 memberof: cn=admins,ou=groups,dc=mydomain,dc=tld
 memberof: cn=users,ou=groups,dc=mydomain,dc=tld
@@ -44,6 +45,7 @@ sn: Doe
 uid: moderator
 mail: moderator@mydomain.tld
 telephoneNumber: 555-000-002
+employeeNumber: 1002
 userPassword: {SSHA}+eHyxWqajMHsOWnhONC2vbtfNZzKTkag
 memberof: cn=moderators,ou=groups,dc=mydomain,dc=tld
 
@@ -56,6 +58,7 @@ sn: Doe
 uid: user
 mail: user@mydomain.tld
 telephoneNumber: 555-000-001
+employeeNumber: 1001
 userPassword: {SSHA}Yr1ZxSljRsKyaTB30suY2iZ1KRTStF1X
 memberof: cn=users,ou=groups,dc=mydomain,dc=tld
 
diff --git a/tests/conftest.py b/tests/conftest.py
index c34add54..a1b70c46 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -132,6 +132,15 @@ def app(slapd_server, keypair_path):
                 "USER_CLASS": "inetOrgPerson",
                 "ADMIN_FILTER": "(|(uid=admin)(sn=admin))",
                 "USER_ADMIN_FILTER": "(|(uid=moderator)(sn=moderator))",
+                "FIELDS": [
+                    "uid",
+                    "mail",
+                    "givenName",
+                    "sn",
+                    "userPassword",
+                    "telephoneNumber",
+                    "employeeNumber",
+                ],
             },
             "JWT": {
                 "PUBLIC_KEY": public_key_path,
diff --git a/tests/test_profile.py b/tests/test_profile.py
index 283bf56e..7d83b99b 100644
--- a/tests/test_profile.py
+++ b/tests/test_profile.py
@@ -4,13 +4,15 @@ from canaille.models import User
 def test_profile(testclient, slapd_connection, logged_user):
     res = testclient.get("/profile/user", status=200)
 
-    res.form["sub"] = "user"
-    res.form["given_name"] = "given_name"
-    res.form["family_name"] = "family_name"
-    res.form["email"] = "email@mydomain.tld"
-    res.form["phone_number"] = "555-666-777"
+    res.form["uid"] = "user"
+    res.form["givenName"] = "given_name"
+    res.form["sn"] = "family_name"
+    res.form["mail"] = "email@mydomain.tld"
+    res.form["telephoneNumber"] = "555-666-777"
+    res.form["employeeNumber"] = 666
 
     res = res.form.submit(name="action", value="edit", status=200)
+    assert "Profile updated successfuly." in res, str(res)
 
     logged_user.reload(slapd_connection)
 
@@ -19,6 +21,7 @@ def test_profile(testclient, slapd_connection, logged_user):
     assert ["family_name"] == logged_user.sn
     assert ["email@mydomain.tld"] == logged_user.mail
     assert ["555-666-777"] == logged_user.telephoneNumber
+    assert "666" == logged_user.employeeNumber
 
     with testclient.app.app_context():
         assert logged_user.check_password("correct horse battery staple")
@@ -27,7 +30,7 @@ def test_profile(testclient, slapd_connection, logged_user):
 def test_bad_email(testclient, slapd_connection, logged_user):
     res = testclient.get("/profile/user", status=200)
 
-    res.form["email"] = "john@doe.com"
+    res.form["mail"] = "john@doe.com"
 
     res = res.form.submit(name="action", value="edit", status=200)
 
@@ -35,7 +38,7 @@ def test_bad_email(testclient, slapd_connection, logged_user):
 
     res = testclient.get("/profile/user", status=200)
 
-    res.form["email"] = "yolo"
+    res.form["mail"] = "yolo"
 
     res = res.form.submit(name="action", value="edit", status=200)
 
@@ -113,11 +116,11 @@ def test_user_creation_edition_and_deletion(
 
     # Fill the profile for a new user.
     res = testclient.get("/profile", status=200)
-    res.form["sub"] = "george"
-    res.form["given_name"] = "George"
-    res.form["family_name"] = "Abitbol"
-    res.form["email"] = "george@abitbol.com"
-    res.form["phone_number"] = "555-666-888"
+    res.form["uid"] = "george"
+    res.form["givenName"] = "George"
+    res.form["sn"] = "Abitbol"
+    res.form["mail"] = "george@abitbol.com"
+    res.form["telephoneNumber"] = "555-666-888"
     res.form["password1"] = "totoyolo"
     res.form["password2"] = "totoyolo"
 
@@ -126,7 +129,7 @@ def test_user_creation_edition_and_deletion(
     with testclient.app.app_context():
         assert "George" == User.get("george", conn=slapd_connection).givenName[0]
     assert "george" in testclient.get("/users", status=200).text
-    res.form["given_name"] = "Georgio"
+    res.form["givenName"] = "Georgio"
 
     # User have been edited
     res = res.form.submit(name="action", value="edit", status=200)