Make User and Group read-only in Admin interface

User and Group shall not be created locally.
They all come from the LDAP/AD server.

app/admin/views.py

@@ -11,7 +11,7 @@ This module customizes the admin views.
 """
 from flask_admin.contrib import sqla
 from flask_login import current_user
-from ..models import Item
+from ..models import Item, User, Group
 from .. import utils
 
 
@@ -21,6 +21,24 @@ class AdminModelView(sqla.ModelView):
         return current_user.is_authenticated and current_user.is_admin
 
 
+class GroupAdmin(AdminModelView):
+    can_create = False
+    can_edit = False
+    can_delete = False
+
+    def __init__(self, session):
+        super().__init__(Group, session)
+
+
+class UserAdmin(AdminModelView):
+    can_create = False
+    can_edit = False
+    can_delete = False
+
+    def __init__(self, session):
+        super().__init__(User, session)
+
+
 class ItemAdmin(AdminModelView):
 
     def __init__(self, session):

app/factory.py

@@ -13,8 +13,8 @@ import sqlalchemy as sa
 from flask import Flask
 from . import settings
 from .extensions import db, migrate, login_manager, ldap_manager, bootstrap, admin, mail, jwt
-from .models import User, Group, Action, Manufacturer, Model, Location, Status
-from .admin.views import AdminModelView, ItemAdmin
+from .models import Action, Manufacturer, Model, Location, Status
+from .admin.views import AdminModelView, ItemAdmin, UserAdmin, GroupAdmin
 from .main.views import bp as main
 from .users.views import bp as users
 from .api.main import bp as api
@@ -90,8 +90,8 @@ def create_app(config=None):
     jwt.init_app(app)
 
     admin.init_app(app)
-    admin.add_view(AdminModelView(Group, db.session))
-    admin.add_view(AdminModelView(User, db.session))
+    admin.add_view(GroupAdmin(db.session))
+    admin.add_view(UserAdmin(db.session))
     admin.add_view(AdminModelView(Action, db.session))
     admin.add_view(AdminModelView(Manufacturer, db.session))
     admin.add_view(AdminModelView(Model, db.session))