ui(users): oidc chip on list + readonly fields on edit for OIDC users

internal/server/http/ui_users.go

@@ -51,6 +51,7 @@ type userRow struct {
 	LastLoginAt        string // pre-formatted "2006-01-02 15:04:05" or "never"
 	Disabled           bool
 	MustChangePassword bool
+	AuthSource         string
 }
 
 func (s *Server) handleUIUsersList(w stdhttp.ResponseWriter, r *stdhttp.Request) {
@@ -104,6 +105,7 @@ func (s *Server) handleUIUsersList(w stdhttp.ResponseWriter, r *stdhttp.Request)
 			Role: string(ux.Role), LastLoginAt: ll,
 			Disabled:           ux.DisabledAt != nil,
 			MustChangePassword: ux.MustChangePassword,
+			AuthSource:         ux.AuthSource,
 		})
 	}
 
@@ -157,7 +159,8 @@ type userFormPage struct {
 	// to add a username that already exists (disabled). Triggers a
 	// banner on the edit page explaining why and steering them at
 	// the Re-enable button. See handleUIUserNewPost's collision branch.
-	Reenable bool
+	Reenable   bool
+	AuthSource string
 }
 
 func (s *Server) handleUIUserNewGet(w stdhttp.ResponseWriter, r *stdhttp.Request) {
@@ -294,8 +297,9 @@ func (s *Server) handleUIUserEditGet(w stdhttp.ResponseWriter, r *stdhttp.Reques
 	view.Page = userFormPage{
 		Mode: "edit", ID: target.ID, Username: target.Username,
 		Email: em, Role: string(target.Role),
-		Disabled: target.DisabledAt != nil,
-		Reenable: r.URL.Query().Get("reenable") == "1",
+		Disabled:   target.DisabledAt != nil,
+		Reenable:   r.URL.Query().Get("reenable") == "1",
+		AuthSource: target.AuthSource,
 	}
 	_ = s.deps.UI.Render(w, "user_edit", view)
 }
@@ -315,6 +319,10 @@ func (s *Server) handleUIUserEditPost(w stdhttp.ResponseWriter, r *stdhttp.Reque
 		stdhttp.NotFound(w, r)
 		return
 	}
+	if target.AuthSource == "oidc" {
+		stdhttp.Error(w, "OIDC users cannot have role/email edited locally", stdhttp.StatusForbidden)
+		return
+	}
 	role, ok := validRole(r.PostForm.Get("role"))
 	if !ok {
 		stdhttp.Error(w, "bad role", stdhttp.StatusBadRequest)