feat: add AccountSettingsReadOnlyFieldsStep pipeline step

Author: kiram15

CHANGELOG.rst

@@ -17,6 +17,10 @@ Unreleased
 ----------
 * nothing unreleased
 
+[6.8.4] - 2026-03-30
+---------------------
+* feat: add AccountSettingsEnterpriseReadOnlyFieldsStep pipeline step (ENT-11510)
+
 [6.8.3] - 2026-03-27
 ---------------------
 * fix: Move settings reads out of AppConfig, into consumers

enterprise/__init__.py

@@ -2,4 +2,4 @@
 Your project description goes here.
 """
 
-__version__ = "6.8.3"
+__version__ = "6.8.4"

enterprise/filters/__init__.py

@@ -0,0 +1,78 @@
+"""
+Pipeline step for determining read-only account settings fields.
+"""
+from openedx_filters.filters import PipelineStep
+from social_django.models import UserSocialAuth
+
+from django.conf import settings
+
+try:
+    from common.djangoapps import third_party_auth
+except ImportError:
+    third_party_auth = None
+
+from enterprise.models import EnterpriseCustomerIdentityProvider, EnterpriseCustomerUser
+
+
+class AccountSettingsEnterpriseReadOnlyFieldsStep(PipelineStep):
+    """
+    Adds SSO-managed fields to the read-only account settings fields set.
+
+    This step is intended to be registered as a pipeline step for the
+    ``org.openedx.learning.account.settings.read_only_fields.requested.v1`` filter.
+
+    When a user is linked to an enterprise customer whose SSO identity provider has
+    ``sync_learner_profile_data`` enabled, the fields listed in
+    ``settings.ENTERPRISE_READONLY_ACCOUNT_FIELDS`` are added to ``readonly_fields``.
+    The ``"name"`` field is only added when the user has an existing ``UserSocialAuth``
+    record for the enterprise IdP backend.
+    """
+
+    def run_filter(self, readonly_fields, user):  # pylint: disable=arguments-differ
+        """
+        Add enterprise SSO-managed fields to the read-only fields set.
+
+        Arguments:
+            readonly_fields (set): current set of read-only account field names.
+            user (User): the Django User whose account settings are being updated.
+
+        Returns:
+            dict: updated pipeline data with ``readonly_fields`` key.
+        """
+        enterprise_customer_user = (
+            EnterpriseCustomerUser.objects.filter(user_id=user.id)
+            .order_by('-active', '-modified')
+            .select_related('enterprise_customer')
+            .first()
+        )
+        if not enterprise_customer_user:
+            return {"readonly_fields": readonly_fields, "user": user}
+
+        enterprise_customer = enterprise_customer_user.enterprise_customer
+
+        try:
+            idp_record = EnterpriseCustomerIdentityProvider.objects.get(
+                enterprise_customer=enterprise_customer
+            )
+        except EnterpriseCustomerIdentityProvider.DoesNotExist:
+            return {"readonly_fields": readonly_fields, "user": user}
+
+        identity_provider = third_party_auth.provider.Registry.get(
+            provider_id=idp_record.provider_id
+        )
+
+        if not identity_provider or not getattr(identity_provider, 'sync_learner_profile_data', False):
+            return {"readonly_fields": readonly_fields, "user": user}
+
+        enterprise_readonly = set(getattr(settings, 'ENTERPRISE_READONLY_ACCOUNT_FIELDS', []))
+
+        if 'name' in enterprise_readonly:
+            backend_name = getattr(identity_provider, 'backend_name', None)
+            has_social_auth = (
+                backend_name
+                and UserSocialAuth.objects.filter(provider=backend_name, user=user).exists()
+            )
+            if not has_social_auth:
+                enterprise_readonly = enterprise_readonly - {'name'}
+
+        return {"readonly_fields": readonly_fields | enterprise_readonly, "user": user}

enterprise/filters/accounts.py

@@ -5,15 +5,12 @@
 import csv
 import logging
 
+from social_django.models import UserSocialAuth
+
 from django.core.exceptions import ValidationError
 from django.core.management.base import BaseCommand
 from django.db import transaction
 
-try:
-    from social_django.models import UserSocialAuth
-except ImportError:
-    UserSocialAuth = None
-
 logger = logging.getLogger(__name__)
 
 

enterprise/management/commands/update_enterprise_social_auth_uids.py

@@ -6,21 +6,14 @@
 from datetime import datetime
 from logging import getLogger
 
+from social_core.pipeline.partial import partial
+from social_django.models import UserSocialAuth
+
 from django.urls import reverse
 
 from enterprise.models import EnterpriseCustomer, EnterpriseCustomerUser
 from enterprise.utils import get_identity_provider, get_social_auth_from_idp
 
-try:
-    from social_core.pipeline.partial import partial
-except ImportError:
-    from enterprise.decorators import null_decorator as partial
-
-try:
-    from social_django.models import UserSocialAuth
-except ImportError:
-    UserSocialAuth = None
-
 try:
     from common.djangoapps.third_party_auth.provider import Registry
 except ImportError:

enterprise/tpa_pipeline.py

@@ -17,6 +17,7 @@
 from edx_django_utils.cache import TieredCache
 from edx_django_utils.cache import get_cache_key as get_django_cache_key
 from slumber.exceptions import HttpClientError
+from social_django.models import UserSocialAuth
 
 from django.apps import apps
 from django.conf import settings
@@ -88,11 +89,6 @@
 except ImportError:
     get_url = None
 
-try:
-    from social_django.models import UserSocialAuth
-except ImportError:
-    UserSocialAuth = None
-
 # Only create manual enrollments if running in edx-platform
 try:
     from common.djangoapps.student.api import (

enterprise/utils.py

@@ -32,6 +32,7 @@ jsondiff
 jsonfield
 openedx-atlas
 openedx-events
+openedx-filters
 paramiko
 path.py
 pillow

requirements/base.in

@@ -11,6 +11,7 @@ isort                     # to standardize order of imports
 pip-tools                 # Requirements file management
 pycodestyle               # PEP 8 compliance validation
 pydocstyle                # PEP 257 compliance validation
+social-auth-app-django    # adding explicit requirement to prevent defensive imports
 testfixtures              # Mock objects for unit tests and doc tests
 tox                       # virtualenv management for tests
 twine==1.11.0             # Utility for PyPI package uploads

requirements/dev.in

@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    make upgrade
+#    pip-compile --output-file=requirements/dev.txt requirements/dev.in
 #
 accessible-pygments==0.0.5
     # via
@@ -204,6 +204,8 @@ defusedxml==0.7.1
     #   -r requirements/test-master.txt
     #   -r requirements/test.txt
     #   djangorestframework-xml
+    #   python3-openid
+    #   social-auth-core
 diff-cover==10.2.0
     # via -r requirements/test.txt
 dill==0.4.1
@@ -239,6 +241,8 @@ django==5.2.12
     #   edx-toggles
     #   jsonfield
     #   openedx-events
+    #   openedx-filters
+    #   social-auth-app-django
 django-cache-memoize==0.2.1
     # via
     #   -r requirements/doc.txt
@@ -413,6 +417,7 @@ edx-opaque-keys[django]==3.1.0
     #   edx-ccx-keys
     #   edx-drf-extensions
     #   openedx-events
+    #   openedx-filters
 edx-rbac==3.0.0
     # via
     #   -r requirements/doc.txt
@@ -671,6 +676,8 @@ oauthlib==3.3.1
     #   -r requirements/test-master.txt
     #   -r requirements/test.txt
     #   django-oauth-toolkit
+    #   requests-oauthlib
+    #   social-auth-core
 openedx-atlas==0.7.0
     # via
     #   -r requirements/doc.txt
@@ -681,6 +688,11 @@ openedx-events==11.1.0
     #   -r requirements/doc.txt
     #   -r requirements/test-master.txt
     #   -r requirements/test.txt
+openedx-filters==2.1.0
+    # via
+    #   -r requirements/doc.txt
+    #   -r requirements/test-master.txt
+    #   -r requirements/test.txt
 packaging==26.0
     # via
     #   -r requirements/doc.txt
@@ -823,6 +835,7 @@ pyjwt[crypto]==2.12.1
     #   edx-rest-api-client
     #   firebase-admin
     #   snowflake-connector-python
+    #   social-auth-core
 pylint==3.3.9
     # via
     #   -c requirements/constraints.txt
@@ -898,6 +911,10 @@ python-slugify==8.0.4
     #   -r requirements/test-master.txt
     #   -r requirements/test.txt
     #   code-annotations
+python3-openid==3.2.0
+    # via
+    #   -r requirements/test.txt
+    #   social-auth-core
 pytz==2026.1.post1
     # via
     #   -r requirements/doc.txt
@@ -930,13 +947,19 @@ requests==2.32.5
     #   edx-rest-api-client
     #   google-api-core
     #   google-cloud-storage
+    #   requests-oauthlib
     #   requests-toolbelt
     #   responses
     #   sailthru-client
     #   slumber
     #   snowflake-connector-python
+    #   social-auth-core
     #   sphinx
     #   twine
+requests-oauthlib==2.0.0
+    # via
+    #   -r requirements/test.txt
+    #   social-auth-core
 requests-toolbelt==1.0.0
     # via twine
 responses==0.26.0
@@ -1007,6 +1030,12 @@ snowflake-connector-python==4.3.0
     #   -r requirements/doc.txt
     #   -r requirements/test-master.txt
     #   -r requirements/test.txt
+social-auth-app-django==5.7.0
+    # via -r requirements/test.txt
+social-auth-core==4.8.5
+    # via
+    #   -r requirements/test.txt
+    #   social-auth-app-django
 sortedcontainers==2.4.0
     # via
     #   -r requirements/doc.txt