From 926b4f47f189cd90bcb8784a2cd1102331e9c327 Mon Sep 17 00:00:00 2001
From: HB9HIL <fabian.berg@hb9hil.org>
Date: Wed, 18 Mar 2026 22:52:02 +0100
Subject: [PATCH] allow customizing the locked data batch in user edit

---
 application/config/sso.sample.php | 11 +++++++++++
 application/controllers/User.php  |  1 +
 application/views/user/edit.php   |  2 +-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/application/config/sso.sample.php b/application/config/sso.sample.php
index e73102ed3..c16df4bdb 100644
--- a/application/config/sso.sample.php
+++ b/application/config/sso.sample.php
@@ -70,6 +70,17 @@ $config['auth_header_allow_direct_login'] = false;
 $config['auth_header_hide_password_field'] = true;
 
 
+/**
+ * --------------------------------------------------------------------------
+ * Locked Data Badge
+ * --------------------------------------------------------------------------
+ * 
+ * HTML snippet for a badge indicating that a field is locked and managed through the Identity Provider. This is shown next to fields in the user profile that are mapped to JWT claims and not allowed to be changed manually.
+ * You can customize the appearance and tooltip text as needed. Leave empty to use the default.
+ */
+$config['auth_header_locked_data_batch'] = "";
+
+
 /**
  *--------------------------------------------------------------------------
  * Access Token Header
diff --git a/application/controllers/User.php b/application/controllers/User.php
index a951bd26a..74d8977a5 100644
--- a/application/controllers/User.php
+++ b/application/controllers/User.php
@@ -450,6 +450,7 @@ class User extends CI_Controller {
 		}
 		$data['auth_header_allow_direct_login']  = $this->config->item('auth_header_allow_direct_login', 'sso') ?? true;
 		$data['auth_header_hide_password_field'] = $this->config->item('auth_header_hide_password_field', 'sso') ?? false;
+		$data['auth_header_locked_data_batch'] = $this->config->item('auth_header_locked_data_batch', 'sso') ?: '<span class="badge bg-secondary ms-1" data-bs-toggle="tooltip" title="' . __("Can't be changed. Manage this through your Identity Provider.") . '"><i class="fa fa-lock"></i> IdP</span>';
 		$data['sso_claim_config'] = $this->config->item('auth_headers_claim_config', 'sso') ?: [];
 
 		$data['page_title'] = __("Edit User");
diff --git a/application/views/user/edit.php b/application/views/user/edit.php
index 400c91085..7544fc746 100644
--- a/application/views/user/edit.php
+++ b/application/views/user/edit.php
@@ -58,7 +58,7 @@
 										$idp_locked = function($field) use ($external_account, $sso_claim_config) {
 											return $external_account && isset($sso_claim_config[$field]) && empty($sso_claim_config[$field]['allow_manual_change']);
 										};
-										$idp_badge = '<span class="badge bg-secondary ms-1" data-bs-toggle="tooltip" title="' . __("Can't be changed. Manage this through your Identity Provider.") . '"><i class="fa fa-lock"></i> IdP</span>';
+										$idp_badge = $auth_header_locked_data_batch;
 									?>
 
 									<div class="mb-3">