From 764b687904ca11e846c51263953f37e9122cf4cf Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Wed, 27 Nov 2024 11:20:26 +0100
Subject: [PATCH] Add custom defaults & locking to user preferences - Closes
 #413

---
 .env.testing                                  | 12 +++
 app/Api/v1/Controllers/UserController.php     | 14 ++-
 app/Helpers/Helpers.php                       | 18 ++++
 app/Http/Controllers/SinglePageController.php |  2 +
 app/Models/User.php                           |  2 +-
 bootstrap/app.php                             |  7 +-
 config/2fauth.php                             | 86 ++++++++++++-------
 .../components/formElements/FormCheckbox.vue  |  9 +-
 .../js/components/formElements/FormField.vue  |  9 +-
 .../components/formElements/FormLockField.vue |  9 +-
 .../formElements/FormPasswordField.vue        |  7 +-
 .../js/components/formElements/FormSelect.vue |  9 +-
 .../components/formElements/FormTextarea.vue  |  9 +-
 .../js/components/formElements/FormToggle.vue |  9 +-
 resources/js/stores/appSettings.js            |  5 +-
 resources/js/stores/user.js                   | 10 +++
 resources/js/views/settings/Options.vue       | 59 +++++++------
 resources/lang/en/settings.php                | 13 +--
 resources/lang/en/twofaccounts.php            |  2 +-
 resources/views/landing.blade.php             |  1 +
 .../Controllers/Auth/UserControllerTest.php   | 39 ++++++++-
 tests/Unit/HelpersTest.php                    | 38 ++++++++
 vite.version.js                               |  2 +-
 23 files changed, 271 insertions(+), 100 deletions(-)

diff --git a/.env.testing b/.env.testing
index 86b3b38f..cdc7dd91 100644
--- a/.env.testing
+++ b/.env.testing
@@ -23,6 +23,18 @@ LOG_CHANNEL=stack
 DB_CONNECTION=testing
 DB_DATABASE=:memory:
 
+# valid overriden default
+USERPREF_DEFAULT__THEME=light
+
+# valid locked user preference
+USERPREF_LOCKED__THEME=true
+
+# invalid locked user preference
+USERPREF_LOCKED__DISPLAY_MODE=
+
+# malformed locked user preference
+USERPREF_LOCKED___FORMAT_PASSWORD=false
+
 # DB_CONNECTION=mysql
 # DB_HOST=localhost
 # DB_PORT=3306
diff --git a/app/Api/v1/Controllers/UserController.php b/app/Api/v1/Controllers/UserController.php
index cc6841c6..2b335d67 100644
--- a/app/Api/v1/Controllers/UserController.php
+++ b/app/Api/v1/Controllers/UserController.php
@@ -33,8 +33,9 @@ class UserController extends Controller
 
         $preferences->each(function (mixed $item, string $key) use ($jsonPrefs) {
             $jsonPrefs->push([
-                'key'   => $key,
-                'value' => $item,
+                'key'    => $key,
+                'value'  => $item,
+                'locked' => in_array($key, config('2fauth.lockedPreferences')),
             ]);
         });
 
@@ -53,8 +54,9 @@ class UserController extends Controller
         }
 
         return response()->json([
-            'key'   => $preferenceName,
-            'value' => $request->user()->preferences[$preferenceName],
+            'key'    => $preferenceName,
+            'value'  => $request->user()->preferences[$preferenceName],
+            'locked' => in_array($preferenceName, config('2fauth.lockedPreferences')),
         ], 200);
     }
 
@@ -69,6 +71,10 @@ class UserController extends Controller
             abort(404);
         }
 
+        if (in_array($preferenceName, config('2fauth.lockedPreferences'))) {
+            abort(403);
+        }
+
         $validated = $request->validated();
 
         $request->user()['preferences->' . $preferenceName] = $validated['value'];
diff --git a/app/Helpers/Helpers.php b/app/Helpers/Helpers.php
index fc5c5d0a..77bd5325 100644
--- a/app/Helpers/Helpers.php
+++ b/app/Helpers/Helpers.php
@@ -49,4 +49,22 @@ class Helpers
     {
         return Str::random($length) . '.' . $extension;
     }
+
+    /**
+     * Defines preferences locked for change.
+     * This helper is only intended to be called from the 2FAuth config file.
+     */
+    public static function lockedPreferences(array $preferences) : array
+    {
+        foreach ($preferences as $key => $value) {
+            $_key = $key === 'revealDottedOTP' ? 'revealDottedOtp' : $key;
+            $isLocked = envUnlessEmpty(Str::of($_key)->snake('_')->upper()->prepend('USERPREF_LOCKED__')->toString(), false);
+            
+            if ($isLocked) {
+                $lockedPreferences[] = $key;
+            }
+        }
+    
+        return $lockedPreferences ?? [];
+    }
 }
diff --git a/app/Http/Controllers/SinglePageController.php b/app/Http/Controllers/SinglePageController.php
index b5e499f0..209cff97 100644
--- a/app/Http/Controllers/SinglePageController.php
+++ b/app/Http/Controllers/SinglePageController.php
@@ -38,6 +38,7 @@ class SinglePageController extends Controller
         $proxyLogoutUrl     = config('2fauth.config.proxyLogoutUrl') ? config('2fauth.config.proxyLogoutUrl') : false;
         $subdir             = config('2fauth.config.appSubdirectory') ? '/' . config('2fauth.config.appSubdirectory') : '';
         $defaultPreferences = collect(config('2fauth.preferences')); /** @phpstan-ignore-line */
+        $lockedPreferences  = collect(config('2fauth.lockedPreferences')); /** @phpstan-ignore-line */
         $isDemoApp          = config('2fauth.config.isDemoApp') ? 'true' : 'false';
         $isTestingApp       = config('2fauth.config.isTestingApp') ? 'true' : 'false';
         $lang               = App::getLocale();
@@ -69,6 +70,7 @@ class SinglePageController extends Controller
                 'exportSchemaUrl' => $exportSchemaUrl,
             ]),
             'defaultPreferences' => $defaultPreferences,
+            'lockedPreferences'  => $lockedPreferences,
             'subdirectory'       => $subdir,
             'isDemoApp'          => $isDemoApp,
             'isTestingApp'       => $isTestingApp,
diff --git a/app/Models/User.php b/app/Models/User.php
index 47a97dfa..9af631ca 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -212,7 +212,7 @@ class User extends Authenticatable implements HasLocalePreference, WebAuthnAuthe
     public function getPreferencesAttribute($value)
     {
         $preferences = collect(config('2fauth.preferences'))->merge(json_decode($value));  /** @phpstan-ignore-line */
-
+        
         return $preferences;
     }
 
diff --git a/bootstrap/app.php b/bootstrap/app.php
index 29eaef8c..8695be52 100644
--- a/bootstrap/app.php
+++ b/bootstrap/app.php
@@ -13,15 +13,12 @@
 
 if (! function_exists('envUnlessEmpty')) {
     /**
-     * @param  string  $key
-     * @param  null  $default
-     *
      * @return mixed|null
      */
-    function envUnlessEmpty(string $key, $default = null)
+    function envUnlessEmpty(string $key, string|int|bool|float|null $default = null)
     {
         $result = env($key, $default);
-        if (is_string($result) && '' === $result) {
+        if ('' === $result) {
             $result = $default;
         }
 
diff --git a/config/2fauth.php b/config/2fauth.php
index 2644cbd0..8c013070 100644
--- a/config/2fauth.php
+++ b/config/2fauth.php
@@ -1,5 +1,47 @@
 <?php
 
+use App\Helpers\Helpers;
+use Illuminate\Support\Arr;
+
+$preferences = [
+    'showOtpAsDot'           => envUnlessEmpty('USERPREF_DEFAULT__SHOW_OTP_AS_DOT', false),
+    'showNextOtp'            => envUnlessEmpty('USERPREF_DEFAULT__SHOW_NEXT_OTP', false),
+    'revealDottedOTP'        => envUnlessEmpty('USERPREF_DEFAULT__REVEAL_DOTTED_OTP', false),
+    'closeOtpOnCopy'         => envUnlessEmpty('USERPREF_DEFAULT__CLOSE_OTP_ON_COPY', false),
+    'copyOtpOnDisplay'       => envUnlessEmpty('USERPREF_DEFAULT__COPY_OTP_ON_DISPLAY', false),
+    'clearSearchOnCopy'      => envUnlessEmpty('USERPREF_DEFAULT__CLEAR_SEARCH_ON_COPY', false),
+    'useBasicQrcodeReader'   => envUnlessEmpty('USERPREF_DEFAULT__USE_BASIC_QRCODE_READER', false),
+    'displayMode'            => envUnlessEmpty('USERPREF_DEFAULT__DISPLAY_MODE', 'list'),
+    'showAccountsIcons'      => envUnlessEmpty('USERPREF_DEFAULT__SHOW_ACCOUNTS_ICONS', true),
+    'kickUserAfter'          => envUnlessEmpty('USERPREF_DEFAULT__KICK_USER_AFTER', 15),
+    'activeGroup'            => 0,
+    'rememberActiveGroup'    => envUnlessEmpty('USERPREF_DEFAULT__REMEMBER_ACTIVE_GROUP', true),
+    'viewDefaultGroupOnCopy' => envUnlessEmpty('USERPREF_DEFAULT__VIEW_DEFAULT_GROUP_ON_COPY', false),
+    'defaultGroup'           => 0,
+    'defaultCaptureMode'     => envUnlessEmpty('USERPREF_DEFAULT__DEFAULT_CAPTURE_MODE', 'livescan'),
+    'useDirectCapture'       => envUnlessEmpty('USERPREF_DEFAULT__USE_DIRECT_CAPTURE', false),
+    'useWebauthnOnly'        => envUnlessEmpty('USERPREF_DEFAULT__USE_WEBAUTHN_ONLY', false),
+    'getOfficialIcons'       => envUnlessEmpty('USERPREF_DEFAULT__GET_OFFICIAL_ICONS', true),
+    'theme'                  => envUnlessEmpty('USERPREF_DEFAULT__THEME', 'system'),
+    'formatPassword'         => envUnlessEmpty('USERPREF_DEFAULT__FORMAT_PASSWORD', true),
+    'formatPasswordBy'       => envUnlessEmpty('USERPREF_DEFAULT__FORMAT_PASSWORD_BY', 0.5),
+    'lang'                   => envUnlessEmpty('USERPREF_DEFAULT__LANG', 'browser'),
+    'getOtpOnRequest'        => envUnlessEmpty('USERPREF_DEFAULT__GET_OTP_ON_REQUEST', true),
+    'notifyOnNewAuthDevice'  => envUnlessEmpty('USERPREF_DEFAULT__NOTIFY_ON_NEW_AUTH_DEVICE', false),
+    'notifyOnFailedLogin'    => envUnlessEmpty('USERPREF_DEFAULT__NOTIFY_ON_FAILED_LOGIN', false),
+    'timezone'               => envUnlessEmpty('USERPREF_DEFAULT__TIMEZONE', 'UTC'),
+    'sortCaseSensitive'      => envUnlessEmpty('USERPREF_DEFAULT__SORT_CASE_SENSITIVE', false),
+    'autoCloseTimeout'       => envUnlessEmpty('USERPREF_DEFAULT__AUTO_CLOSE_TIMEOUT', 2),
+    'AutoSaveQrcodedAccount' => envUnlessEmpty('USERPREF_DEFAULT__AUTO_SAVE_QRCODED_ACCOUNT', false),
+    'showEmailInFooter'      => envUnlessEmpty('USERPREF_DEFAULT__SHOW_EMAIL_IN_FOOTER', true),
+];
+
+$nonLockablePreferences = [
+    'activeGroup',
+    'defaultGroup',
+    'useWebauthnOnly',
+];
+
 return [
 
     /*
@@ -107,37 +149,17 @@ return [
     |
     */
 
-    'preferences' => [
-        'showOtpAsDot' => false,
-        'showNextOtp' => false,
-        'revealDottedOTP' => false,
-        'closeOtpOnCopy' => false,
-        'copyOtpOnDisplay' => false,
-        'clearSearchOnCopy' => false,
-        'useBasicQrcodeReader' => false,
-        'displayMode' => 'list',
-        'showAccountsIcons' => true,
-        'kickUserAfter' => 15,
-        'activeGroup' => 0,
-        'rememberActiveGroup' => true,
-        'viewDefaultGroupOnCopy' => false,
-        'defaultGroup' => 0,
-        'defaultCaptureMode' => 'livescan',
-        'useDirectCapture' => false,
-        'useWebauthnOnly' => false,
-        'getOfficialIcons' => true,
-        'theme' => 'system',
-        'formatPassword' => true,
-        'formatPasswordBy' => 0.5,
-        'lang' => 'browser',
-        'getOtpOnRequest' => true,
-        'notifyOnNewAuthDevice' => false,
-        'notifyOnFailedLogin' => false,
-        'timezone' => env('APP_TIMEZONE', 'UTC'),
-        'sortCaseSensitive' => false,
-        'autoCloseTimeout' => 2,
-        'AutoSaveQrcodedAccount' => false,
-        'showEmailInFooter' => true,
-    ],
+    'preferences' => $preferences,
+    
+
+    /*
+    |--------------------------------------------------------------------------
+    | List of user preferences locked against user customization
+    | These settings cannot be overloaded and persisted by each user
+    |--------------------------------------------------------------------------
+    |
+    */
+
+    'lockedPreferences' => Helpers::lockedPreferences(Arr::except($preferences, $nonLockablePreferences)),
 
 ];
diff --git a/resources/js/components/formElements/FormCheckbox.vue b/resources/js/components/formElements/FormCheckbox.vue
index 14d9d7b0..f33f80b0 100644
--- a/resources/js/components/formElements/FormCheckbox.vue
+++ b/resources/js/components/formElements/FormCheckbox.vue
@@ -26,6 +26,7 @@
         },
         isIndented: Boolean,
         isDisabled: Boolean,
+        isLocked: Boolean,
     })
 
     const emit = defineEmits(['update:modelValue'])
@@ -49,12 +50,14 @@
 
 <template>
     <div class="field is-flex">
-        <div v-if="isIndented" class="mx-2 pr-1" :style="{ 'opacity': isDisabled ? '0.5' : '1' }">
+        <div v-if="isIndented" class="mx-2 pr-1" :class="{ 'is-opacity-5' : isDisabled || isLocked }">
             <FontAwesomeIcon class="has-text-grey" :icon="['fas', 'chevron-right']" transform="rotate-135"/>
         </div>
         <div>
-            <input :id="fieldName" type="checkbox" :name="fieldName" class="is-checkradio is-info" v-model="model" :disabled="isDisabled" :aria-describedby="help ? legendId : undefined" />
-            <label tabindex="0" :for="fieldName" class="label" :class="labelClass" v-html="$t(label)" v-on:keypress.space.prevent="toggleModel" />
+            <input :id="fieldName" type="checkbox" :name="fieldName" class="is-checkradio is-info" v-model="model" :disabled="isDisabled || isLocked" :aria-describedby="help ? legendId : undefined" />
+            <label tabindex="0" :for="fieldName" class="label" :class="labelClass" v-on:keypress.space.prevent="toggleModel">
+                {{ $t(label) }}<FontAwesomeIcon v-if="isLocked" :icon="['fas', 'lock']" class="ml-2" size="xs" />
+            </label>
             <p :id="legendId" class="help" v-html="$t(help)" v-if="help" />
         </div>
     </div>
diff --git a/resources/js/components/formElements/FormField.vue b/resources/js/components/formElements/FormField.vue
index a2c29368..931947da 100644
--- a/resources/js/components/formElements/FormField.vue
+++ b/resources/js/components/formElements/FormField.vue
@@ -42,6 +42,7 @@
             default: null
         },
         isIndented: Boolean,
+        isLocked: Boolean,
         leftIcon: '',
         rightIcon: '',
         idSuffix: {
@@ -57,14 +58,16 @@
 
 <template>
     <div class="mb-3" :class="{ 'pt-3' : hasOffset, 'is-flex' : isIndented }">
-        <div v-if="isIndented" class="mx-2 pr-1" :style="{ 'opacity': isDisabled ? '0.5' : '1' }">
+        <div v-if="isIndented" class="mx-2 pr-1" :class="{ 'is-opacity-5' : isDisabled || isLocked }">
             <FontAwesomeIcon class="has-text-grey" :icon="['fas', 'chevron-right']" transform="rotate-135"/>
         </div>
         <div class="field" :class="{ 'is-flex-grow-5' : isIndented }">
-            <label :for="inputId" class="label" :style="{ 'opacity': isDisabled ? '0.5' : '1' }" v-html="$t(label)"></label>
+            <label :for="inputId" class="label" :class="{ 'is-opacity-5' : isDisabled || isLocked }">
+                {{ $t(label) }}<FontAwesomeIcon v-if="isLocked" :icon="['fas', 'lock']" class="ml-2" size="xs" />
+            </label>
             <div class="control" :class="{ 'has-icons-left' : leftIcon, 'has-icons-right': rightIcon }">
                 <input 
-                    :disabled="isDisabled" 
+                    :disabled="isDisabled || isLocked" 
                     :id="inputId" 
                     :type="inputType" 
                     class="input" 
diff --git a/resources/js/components/formElements/FormLockField.vue b/resources/js/components/formElements/FormLockField.vue
index dad1a430..d6dbc5e3 100644
--- a/resources/js/components/formElements/FormLockField.vue
+++ b/resources/js/components/formElements/FormLockField.vue
@@ -54,14 +54,15 @@
         idSuffix: {
             type: String,
             default: ''
-        }
+        },
+        isLocked: Boolean,
     })
 
     const { inputId } = useIdGenerator(props.inputType, props.fieldName + props.idSuffix)
     const { valErrorId } = useValidationErrorIdGenerator(props.fieldName)
     const legendId = useIdGenerator('legend', props.fieldName).inputId
 
-    const fieldIsLocked = ref(props.isDisabled || props.isEditMode)
+    const fieldIsLocked = ref(props.isDisabled || props.isEditMode || props.isLocked)
     const hasBeenTrimmed = ref(false)
     const componentKey = ref(0);
 
@@ -96,7 +97,9 @@
 </script>
 
 <template>
-    <label :for="inputId" class="label" v-html="$t(label)" />
+    <label :for="inputId" class="label">
+        {{ $t(label) }}<FontAwesomeIcon v-if="isLocked" :icon="['fas', 'lock']" class="ml-2" size="xs" />
+    </label>
     <div class="field has-addons mb-0" :class="{ 'pt-3' : hasOffset }">
         <div class="control" :class="{ 'is-expanded': isExpanded }">
             <input 
diff --git a/resources/js/components/formElements/FormPasswordField.vue b/resources/js/components/formElements/FormPasswordField.vue
index fbe6e732..8b62b8d2 100644
--- a/resources/js/components/formElements/FormPasswordField.vue
+++ b/resources/js/components/formElements/FormPasswordField.vue
@@ -45,6 +45,7 @@
             type: String,
             default: ''
         },
+        isLocked: Boolean,
     })
 
     const { inputId } = useIdGenerator(props.inputType, props.fieldName + props.idSuffix)
@@ -84,10 +85,12 @@
 
 <template>
     <div class="field" :class="{ 'pt-3' : hasOffset }">
-        <label :for="inputId" class="label" v-html="$t(label)" />
+        <label :for="inputId" class="label">
+            {{ $t(label) }}<FontAwesomeIcon v-if="isLocked" :icon="['fas', 'lock']" class="ml-2" size="xs" />
+        </label>
         <div class="control has-icons-right">
             <input
-                :disabled="isDisabled"
+                :disabled="isDisabled || isLocked"
                 :id="inputId"
                 :type="currentType" 
                 class="input" 
diff --git a/resources/js/components/formElements/FormSelect.vue b/resources/js/components/formElements/FormSelect.vue
index 84296152..8ac2e5b1 100644
--- a/resources/js/components/formElements/FormSelect.vue
+++ b/resources/js/components/formElements/FormSelect.vue
@@ -23,6 +23,7 @@
         },
         isIndented: Boolean,
         isDisabled: Boolean,
+        isLocked: Boolean,
         idSuffix: {
             type: String,
             default: ''
@@ -37,18 +38,20 @@
 
 <template>
     <div class="field is-flex">
-        <div v-if="isIndented" class="mx-2 pr-1" :style="{ 'opacity': isDisabled ? '0.5' : '1' }">
+        <div v-if="isIndented" class="mx-2 pr-1" :class="{ 'is-opacity-5' : isDisabled || isLocked }">
             <FontAwesomeIcon class="has-text-grey" :icon="['fas', 'chevron-right']" transform="rotate-135"/>
         </div>
         <div>
-            <label :for="inputId" class="label" v-html="$t(label)" :style="{ 'opacity': isDisabled ? '0.5' : '1' }"></label>
+            <label :for="inputId" class="label" :class="{ 'is-opacity-5' : isDisabled || isLocked }">
+                {{ $t(label) }}<FontAwesomeIcon v-if="isLocked" :icon="['fas', 'lock']" class="ml-2" size="xs" />
+            </label>
             <div class="control">
                 <div class="select">
                     <select
                         :id="inputId"
                         v-model="selected"
                         v-on:change="$emit('update:modelValue', $event.target.value)"
-                        :disabled="isDisabled"
+                        :disabled="isDisabled || isLocked"
                         :aria-describedby="help ? legendId : undefined"
                         :aria-invalid="fieldError != undefined"
                         :aria-errormessage="fieldError != undefined ? valErrorId : undefined" 
diff --git a/resources/js/components/formElements/FormTextarea.vue b/resources/js/components/formElements/FormTextarea.vue
index 168bb626..c8e5897f 100644
--- a/resources/js/components/formElements/FormTextarea.vue
+++ b/resources/js/components/formElements/FormTextarea.vue
@@ -42,6 +42,7 @@
             default: null
         },
         isIndented: Boolean,
+        isLocked: Boolean,
         leftIcon: '',
         rightIcon: '',
         idSuffix: {
@@ -57,14 +58,16 @@
 
 <template>
     <div class="mb-3" :class="{ 'pt-3' : hasOffset, 'is-flex' : isIndented }">
-        <div v-if="isIndented" class="mx-2 pr-1" :style="{ 'opacity': isDisabled ? '0.5' : '1' }">
+        <div v-if="isIndented" class="mx-2 pr-1" :class="{ 'is-opacity-5' : isDisabled || isLocked }">
             <FontAwesomeIcon class="has-text-grey" :icon="['fas', 'chevron-right']" transform="rotate-135"/>
         </div>
         <div class="field" :class="{ 'is-flex-grow-5' : isIndented }">
-            <label v-if="label" :for="inputId" class="label" v-html="$t(label)"></label>
+            <label v-if="label" :for="inputId" class="label">
+                {{ $t(label) }}<FontAwesomeIcon v-if="isLocked" :icon="['fas', 'lock']" class="ml-2" size="xs" />
+            </label>
             <div class="control" :class="{ 'has-icons-left' : leftIcon, 'has-icons-right': rightIcon }">
                 <textarea 
-                    :disabled="isDisabled" 
+                    :disabled="isDisabled || isLocked" 
                     :id="inputId"
                     class="textarea" 
                     :class="size"
diff --git a/resources/js/components/formElements/FormToggle.vue b/resources/js/components/formElements/FormToggle.vue
index e49b9e7e..04fe2709 100644
--- a/resources/js/components/formElements/FormToggle.vue
+++ b/resources/js/components/formElements/FormToggle.vue
@@ -15,6 +15,7 @@
         fieldError: [String],
         hasOffset: Boolean,
         isDisabled: Boolean,
+        isLocked: Boolean,
         label: {
             type: String,
             default: ''
@@ -38,7 +39,9 @@
 
 <template>
     <div class="field" :class="{ 'pt-3': hasOffset }">
-        <span v-if="label" class="label" v-html="$t(label)" />
+        <span v-if="label" class="label" :class="{ 'is-opacity-5' : isDisabled || isLocked }">
+            {{ $t(label) }}<FontAwesomeIcon v-if="isLocked" :icon="['fas', 'lock']" class="ml-2" size="xs" />
+        </span>
         <div
             id="rdoGroup"
             role="radiogroup"
@@ -56,7 +59,7 @@
                     type="button"
                     class="button"
                     :aria-checked="modelValue===choice.value"
-                    :disabled="isDisabled"
+                    :disabled="isDisabled || isLocked"
                     :class="{
                         'is-link': modelValue===choice.value,
                         'is-dark': mode==='dark',
@@ -69,7 +72,7 @@
                         class="is-hidden"
                         :checked="modelValue===choice.value"
                         :value="choice.value"
-                        :disabled="isDisabled"
+                        :disabled="isDisabled || isLocked"
                     />
                     <span v-if="choice.legend" v-html="$t(choice.legend)" class="is-block is-size-7" />
                     <FontAwesomeIcon :icon="['fas',choice.icon]" v-if="choice.icon" class="mr-2" />
diff --git a/resources/js/stores/appSettings.js b/resources/js/stores/appSettings.js
index 3508d27d..472c4799 100644
--- a/resources/js/stores/appSettings.js
+++ b/resources/js/stores/appSettings.js
@@ -6,7 +6,10 @@ export const useAppSettingsStore = defineStore({
     id: 'appSettings',
 
     state: () => {
-        return { ...window.appSettings }
+        return {
+            lockedPreferences: window.lockedPreferences,
+            ...window.appSettings
+        }
     },
 
     getters: {
diff --git a/resources/js/stores/user.js b/resources/js/stores/user.js
index 50ed0a93..9f65c591 100644
--- a/resources/js/stores/user.js
+++ b/resources/js/stores/user.js
@@ -137,10 +137,20 @@ export const useUserStore = defineStore({
          * Refresh user preferences with backend state
          */
         refreshPreferences() {
+            const appSettings = useAppSettingsStore()
+
             userService.getPreferences({returnError: true})
             .then(response => {
                 response.data.forEach(preference => {
                     this.preferences[preference.key] = preference.value
+                    let index = appSettings.lockedPreferences.indexOf(preference.key)
+
+                    if (preference.locked == true && index === -1) {
+                        appSettings.lockedPreferences.push(preference.key)
+                    }
+                    else if (preference.locked == false && index > 0) {
+                        appSettings.lockedPreferences.splice(index, 1)
+                    }
                 })
             })
             .catch(error => {
diff --git a/resources/js/views/settings/Options.vue b/resources/js/views/settings/Options.vue
index a2d47b80..e9ea99d7 100644
--- a/resources/js/views/settings/Options.vue
+++ b/resources/js/views/settings/Options.vue
@@ -4,12 +4,14 @@
     import { useUserStore } from '@/stores/user'
     import { useGroups } from '@/stores/groups'
     import { useNotifyStore } from '@/stores/notify'
+    import { useAppSettingsStore } from '@/stores/appSettings'
     import { timezones } from './timezones'
 
     const $2fauth = inject('2fauth')
     const user = useUserStore()
     const groups = useGroups()
     const notify = useNotifyStore()
+    const appSettings = useAppSettingsStore()
     const returnTo = useStorage($2fauth.prefix + 'returnTo', 'accounts')
 
     const layouts = [
@@ -121,8 +123,11 @@
                     <!-- user preferences -->
                     <div class="block">
                         <h4 class="title is-4 has-text-grey-light">{{ $t('settings.general') }}</h4>
+                        <div v-if="appSettings.lockedPreferences.length > 0" class="notification is-warning">
+                            {{ $t('settings.settings_managed_by_administrator') }}
+                        </div>
                         <!-- Language -->
-                        <FormSelect v-model="user.preferences.lang" @update:model-value="val => savePreference('lang', val)" :options="langs" fieldName="lang" label="settings.forms.language.label" help="settings.forms.language.help" />
+                        <FormSelect v-model="user.preferences.lang" @update:model-value="val => savePreference('lang', val)" :options="langs" fieldName="lang" :isLocked="appSettings.lockedPreferences.includes('lang')" label="settings.forms.language.label" help="settings.forms.language.help" />
                         <div class="field help">
                             {{ $t('settings.forms.some_translation_are_missing') }}
                             <a class="ml-2" href="https://crowdin.com/project/2fauth">
@@ -131,66 +136,66 @@
                             </a>
                         </div>
                         <!-- timezone -->
-                        <FormSelect v-model="user.preferences.timezone" @update:model-value="val => savePreference('timezone', val)" :options="timezones" fieldName="timezone" label="settings.forms.timezone.label" help="settings.forms.timezone.help" />
+                        <FormSelect v-model="user.preferences.timezone" @update:model-value="val => savePreference('timezone', val)" :options="timezones" fieldName="timezone" :isLocked="appSettings.lockedPreferences.includes('timezone')" label="settings.forms.timezone.label" help="settings.forms.timezone.help" />
                         <!-- display mode -->
-                        <FormToggle v-model="user.preferences.displayMode" @update:model-value="val => savePreference('displayMode', val)" :choices="layouts" fieldName="displayMode" label="settings.forms.display_mode.label" help="settings.forms.display_mode.help"/>
+                        <FormToggle v-model="user.preferences.displayMode" @update:model-value="val => savePreference('displayMode', val)" :choices="layouts" fieldName="displayMode" :isLocked="appSettings.lockedPreferences.includes('displayMode')" label="settings.forms.display_mode.label" help="settings.forms.display_mode.help" />
                         <!-- theme -->
-                        <FormToggle v-model="user.preferences.theme" @update:model-value="val => savePreference('theme', val)" :choices="themes" fieldName="theme" label="settings.forms.theme.label" help="settings.forms.theme.help"/>
+                        <FormToggle v-model="user.preferences.theme" @update:model-value="val => savePreference('theme', val)" :choices="themes" fieldName="theme" :isLocked="appSettings.lockedPreferences.includes('theme')" label="settings.forms.theme.label" help="settings.forms.theme.help" />
                         <!-- show icon -->
-                        <FormCheckbox v-model="user.preferences.showAccountsIcons" @update:model-value="val => savePreference('showAccountsIcons', val)" fieldName="showAccountsIcons" label="settings.forms.show_accounts_icons.label" help="settings.forms.show_accounts_icons.help" />
+                        <FormCheckbox v-model="user.preferences.showAccountsIcons" @update:model-value="val => savePreference('showAccountsIcons', val)" fieldName="showAccountsIcons" :isLocked="appSettings.lockedPreferences.includes('showAccountsIcons')" label="settings.forms.show_accounts_icons.label" help="settings.forms.show_accounts_icons.help" />
                         <!-- Official icons -->
-                        <FormCheckbox v-model="user.preferences.getOfficialIcons" @update:model-value="val => savePreference('getOfficialIcons', val)" fieldName="getOfficialIcons" label="settings.forms.get_official_icons.label" help="settings.forms.get_official_icons.help" />
+                        <FormCheckbox v-model="user.preferences.getOfficialIcons" @update:model-value="val => savePreference('getOfficialIcons', val)" fieldName="getOfficialIcons" :isLocked="appSettings.lockedPreferences.includes('getOfficialIcons')" label="settings.forms.get_official_icons.label" help="settings.forms.get_official_icons.help" />
                         <!-- password format -->
-                        <FormCheckbox v-model="user.preferences.formatPassword" @update:model-value="val => savePreference('formatPassword', val)" fieldName="formatPassword" label="settings.forms.password_format.label" help="settings.forms.password_format.help" />
-                        <FormToggle v-model="user.preferences.formatPasswordBy" @update:model-value="val => savePreference('formatPasswordBy', val)" :choices="passwordFormats" fieldName="formatPasswordBy" :isDisabled="!user.preferences.formatPassword" />
+                        <FormCheckbox v-model="user.preferences.formatPassword" @update:model-value="val => savePreference('formatPassword', val)" fieldName="formatPassword" :isLocked="appSettings.lockedPreferences.includes('formatPassword')" label="settings.forms.password_format.label" help="settings.forms.password_format.help" />
+                        <FormToggle v-model="user.preferences.formatPasswordBy" @update:model-value="val => savePreference('formatPasswordBy', val)" :choices="passwordFormats" fieldName="formatPasswordBy" :isLocked="appSettings.lockedPreferences.includes('formatPasswordBy')" :isDisabled="!user.preferences.formatPassword" />
                         <!-- clear search on copy -->
-                        <FormCheckbox v-model="user.preferences.clearSearchOnCopy" @update:model-value="val => savePreference('clearSearchOnCopy', val)" fieldName="clearSearchOnCopy" label="settings.forms.clear_search_on_copy.label" help="settings.forms.clear_search_on_copy.help" />
+                        <FormCheckbox v-model="user.preferences.clearSearchOnCopy" @update:model-value="val => savePreference('clearSearchOnCopy', val)" fieldName="clearSearchOnCopy" :isLocked="appSettings.lockedPreferences.includes('clearSearchOnCopy')" label="settings.forms.clear_search_on_copy.label" help="settings.forms.clear_search_on_copy.help" />
                         <!-- sort case sensitive -->
-                        <FormCheckbox v-model="user.preferences.sortCaseSensitive" @update:model-value="val => savePreference('sortCaseSensitive', val)" fieldName="sortCaseSensitive" label="settings.forms.sort_case_sensitive.label" help="settings.forms.sort_case_sensitive.help" />
+                        <FormCheckbox v-model="user.preferences.sortCaseSensitive" @update:model-value="val => savePreference('sortCaseSensitive', val)" fieldName="sortCaseSensitive" :isLocked="appSettings.lockedPreferences.includes('sortCaseSensitive')" label="settings.forms.sort_case_sensitive.label" help="settings.forms.sort_case_sensitive.help" />
                         <!-- show email in footer -->
-                        <FormCheckbox v-model="user.preferences.showEmailInFooter" @update:model-value="val => savePreference('showEmailInFooter', val)" fieldName="showEmailInFooter" label="settings.forms.show_email_in_footer.label" help="settings.forms.show_email_in_footer.help" />
+                        <FormCheckbox v-model="user.preferences.showEmailInFooter" @update:model-value="val => savePreference('showEmailInFooter', val)" fieldName="showEmailInFooter" :isLocked="appSettings.lockedPreferences.includes('showEmailInFooter')" label="settings.forms.show_email_in_footer.label" help="settings.forms.show_email_in_footer.help" />
                         
                         <h4 class="title is-4 pt-4 has-text-grey-light">{{ $t('groups.groups') }}</h4>
                         <!-- default group -->
                         <FormSelect v-model="user.preferences.defaultGroup" @update:model-value="val => savePreference('defaultGroup', val)" :options="groupsList" fieldName="defaultGroup" label="settings.forms.default_group.label" help="settings.forms.default_group.help" />
                         <!-- retain active group -->
-                        <FormCheckbox v-model="user.preferences.rememberActiveGroup" @update:model-value="val => savePreference('rememberActiveGroup', val)" fieldName="rememberActiveGroup" label="settings.forms.remember_active_group.label" help="settings.forms.remember_active_group.help" />
+                        <FormCheckbox v-model="user.preferences.rememberActiveGroup" @update:model-value="val => savePreference('rememberActiveGroup', val)" fieldName="rememberActiveGroup" :isLocked="appSettings.lockedPreferences.includes('rememberActiveGroup')" label="settings.forms.remember_active_group.label" help="settings.forms.remember_active_group.help" />
                         <!-- always return to default group after copying -->
-                        <FormCheckbox v-model="user.preferences.viewDefaultGroupOnCopy" @update:model-value="val => savePreference('viewDefaultGroupOnCopy', val)" fieldName="viewDefaultGroupOnCopy" label="settings.forms.view_default_group_on_copy.label" help="settings.forms.view_default_group_on_copy.help" />
+                        <FormCheckbox v-model="user.preferences.viewDefaultGroupOnCopy" @update:model-value="val => savePreference('viewDefaultGroupOnCopy', val)" fieldName="viewDefaultGroupOnCopy" :isLocked="appSettings.lockedPreferences.includes('viewDefaultGroupOnCopy')" label="settings.forms.view_default_group_on_copy.label" help="settings.forms.view_default_group_on_copy.help" />
                         
                         <h4 class="title is-4 pt-4 has-text-grey-light">{{ $t('settings.security') }}</h4>
                         <!-- auto lock -->
-                        <FormSelect v-model="user.preferences.kickUserAfter" @update:model-value="val => savePreference('kickUserAfter', val)" :options="kickUserAfters" fieldName="kickUserAfter" label="settings.forms.auto_lock.label" help="settings.forms.auto_lock.help" />
+                        <FormSelect v-model="user.preferences.kickUserAfter" @update:model-value="val => savePreference('kickUserAfter', val)" :options="kickUserAfters" fieldName="kickUserAfter" :isLocked="appSettings.lockedPreferences.includes('kickUserAfter')" label="settings.forms.auto_lock.label" help="settings.forms.auto_lock.help" />
                         <!-- get OTP on request -->
-                        <FormToggle v-model="user.preferences.getOtpOnRequest" @update:model-value="val => savePreference('getOtpOnRequest', val)" :choices="getOtpTriggers" fieldName="getOtpOnRequest" label="settings.forms.otp_generation.label" help="settings.forms.otp_generation.help"/>
+                        <FormToggle v-model="user.preferences.getOtpOnRequest" @update:model-value="val => savePreference('getOtpOnRequest', val)" :choices="getOtpTriggers" fieldName="getOtpOnRequest" :isLocked="appSettings.lockedPreferences.includes('getOtpOnRequest')" label="settings.forms.otp_generation.label" help="settings.forms.otp_generation.help"/>
                             <!-- close otp on copy -->
-                            <FormCheckbox v-model="user.preferences.closeOtpOnCopy" @update:model-value="val => savePreference('closeOtpOnCopy', val)" fieldName="closeOtpOnCopy" label="settings.forms.close_otp_on_copy.label" help="settings.forms.close_otp_on_copy.help" :isDisabled="!user.preferences.getOtpOnRequest" :isIndented="true" />
+                            <FormCheckbox v-model="user.preferences.closeOtpOnCopy" @update:model-value="val => savePreference('closeOtpOnCopy', val)" fieldName="closeOtpOnCopy" :isLocked="appSettings.lockedPreferences.includes('closeOtpOnCopy')" :isDisabled="!user.preferences.getOtpOnRequest" label="settings.forms.close_otp_on_copy.label" help="settings.forms.close_otp_on_copy.help" :isIndented="true" />
                             <!-- auto-close timeout -->
-                            <FormSelect v-model="user.preferences.autoCloseTimeout" @update:model-value="val => savePreference('autoCloseTimeout', val)" :options="autoCloseTimeout" fieldName="autoCloseTimeout" label="settings.forms.auto_close_timeout.label" help="settings.forms.auto_close_timeout.help"  :isDisabled="!user.preferences.getOtpOnRequest" :isIndented="true" />
+                            <FormSelect v-model="user.preferences.autoCloseTimeout" @update:model-value="val => savePreference('autoCloseTimeout', val)" :options="autoCloseTimeout" fieldName="autoCloseTimeout" :isLocked="appSettings.lockedPreferences.includes('autoCloseTimeout')" :isDisabled="!user.preferences.getOtpOnRequest" label="settings.forms.auto_close_timeout.label" help="settings.forms.auto_close_timeout.help" :isIndented="true" />
                             <!-- clear search on copy -->
-                            <FormCheckbox v-model="user.preferences.copyOtpOnDisplay" @update:model-value="val => savePreference('copyOtpOnDisplay', val)" fieldName="copyOtpOnDisplay" label="settings.forms.copy_otp_on_display.label" help="settings.forms.copy_otp_on_display.help" :isDisabled="!user.preferences.getOtpOnRequest" :isIndented="true" />
+                            <FormCheckbox v-model="user.preferences.copyOtpOnDisplay" @update:model-value="val => savePreference('copyOtpOnDisplay', val)" fieldName="copyOtpOnDisplay" :isLocked="appSettings.lockedPreferences.includes('copyOtpOnDisplay')" :isDisabled="!user.preferences.getOtpOnRequest" label="settings.forms.copy_otp_on_display.label" help="settings.forms.copy_otp_on_display.help" :isIndented="true" />
                         <!-- otp as dot -->
-                        <FormCheckbox v-model="user.preferences.showOtpAsDot" @update:model-value="val => savePreference('showOtpAsDot', val)" fieldName="showOtpAsDot" label="settings.forms.show_otp_as_dot.label" help="settings.forms.show_otp_as_dot.help" />
+                        <FormCheckbox v-model="user.preferences.showOtpAsDot" @update:model-value="val => savePreference('showOtpAsDot', val)" fieldName="showOtpAsDot" :isLocked="appSettings.lockedPreferences.includes('showOtpAsDot')" label="settings.forms.show_otp_as_dot.label" help="settings.forms.show_otp_as_dot.help" />
                             <!-- reveal dotted OTPs -->
-                            <FormCheckbox v-model="user.preferences.revealDottedOTP" @update:model-value="val => savePreference('revealDottedOTP', val)" fieldName="revealDottedOTP" label="settings.forms.reveal_dotted_otp.label" help="settings.forms.reveal_dotted_otp.help" :isDisabled="!user.preferences.showOtpAsDot" :isIndented="true" />
+                            <FormCheckbox v-model="user.preferences.revealDottedOTP" @update:model-value="val => savePreference('revealDottedOTP', val)" fieldName="revealDottedOTP" :isLocked="appSettings.lockedPreferences.includes('revealDottedOTP')" :isDisabled="!user.preferences.showOtpAsDot" label="settings.forms.reveal_dotted_otp.label" help="settings.forms.reveal_dotted_otp.help" :isIndented="true" />
                         <!-- show next OTP -->
-                        <FormCheckbox v-model="user.preferences.showNextOtp" @update:model-value="val => savePreference('showNextOtp', val)" fieldName="showNextOtp" label="settings.forms.show_next_otp.label" help="settings.forms.show_next_otp.help" />
+                        <FormCheckbox v-model="user.preferences.showNextOtp" @update:model-value="val => savePreference('showNextOtp', val)" fieldName="showNextOtp" :isLocked="appSettings.lockedPreferences.includes('showNextOtp')" label="settings.forms.show_next_otp.label" help="settings.forms.show_next_otp.help" />
                         
                         <h4 class="title is-4 pt-4 has-text-grey-light">{{ $t('settings.notifications') }}</h4>
                         <!-- on new device -->
-                        <FormCheckbox v-model="user.preferences.notifyOnNewAuthDevice" @update:model-value="val => savePreference('notifyOnNewAuthDevice', val)" fieldName="notifyOnNewAuthDevice" label="settings.forms.notify_on_new_auth_device.label" help="settings.forms.notify_on_new_auth_device.help" />
+                        <FormCheckbox v-model="user.preferences.notifyOnNewAuthDevice" @update:model-value="val => savePreference('notifyOnNewAuthDevice', val)" fieldName="notifyOnNewAuthDevice" :isLocked="appSettings.lockedPreferences.includes('notifyOnNewAuthDevice')" label="settings.forms.notify_on_new_auth_device.label" help="settings.forms.notify_on_new_auth_device.help" />
                         <!-- on failed login -->
-                        <FormCheckbox v-model="user.preferences.notifyOnFailedLogin" @update:model-value="val => savePreference('notifyOnFailedLogin', val)" fieldName="notifyOnFailedLogin" label="settings.forms.notify_on_failed_login.label" help="settings.forms.notify_on_failed_login.help" />
+                        <FormCheckbox v-model="user.preferences.notifyOnFailedLogin" @update:model-value="val => savePreference('notifyOnFailedLogin', val)" fieldName="notifyOnFailedLogin" :isLocked="appSettings.lockedPreferences.includes('notifyOnFailedLogin')" label="settings.forms.notify_on_failed_login.label" help="settings.forms.notify_on_failed_login.help" />
                             
                         <h4 class="title is-4 pt-4 has-text-grey-light">{{ $t('settings.data_input') }}</h4>
                         <!-- auto-save QrCoded account -->
-                        <FormCheckbox v-model="user.preferences.AutoSaveQrcodedAccount" @update:model-value="val => savePreference('AutoSaveQrcodedAccount', val)" fieldName="AutoSaveQrcodedAccount" label="settings.forms.auto_save_qrcoded_account.label" help="settings.forms.auto_save_qrcoded_account.help" />
+                        <FormCheckbox v-model="user.preferences.AutoSaveQrcodedAccount" @update:model-value="val => savePreference('AutoSaveQrcodedAccount', val)" fieldName="AutoSaveQrcodedAccount" :isLocked="appSettings.lockedPreferences.includes('AutoSaveQrcodedAccount')" label="settings.forms.auto_save_qrcoded_account.label" help="settings.forms.auto_save_qrcoded_account.help" />
                         <!-- basic qrcode -->
-                        <FormCheckbox v-model="user.preferences.useBasicQrcodeReader" @update:model-value="val => savePreference('useBasicQrcodeReader', val)" fieldName="useBasicQrcodeReader" label="settings.forms.use_basic_qrcode_reader.label" help="settings.forms.use_basic_qrcode_reader.help" />
+                        <FormCheckbox v-model="user.preferences.useBasicQrcodeReader" @update:model-value="val => savePreference('useBasicQrcodeReader', val)" fieldName="useBasicQrcodeReader" :isLocked="appSettings.lockedPreferences.includes('useBasicQrcodeReader')" label="settings.forms.use_basic_qrcode_reader.label" help="settings.forms.use_basic_qrcode_reader.help" />
                         <!-- direct capture -->
-                        <FormCheckbox v-model="user.preferences.useDirectCapture" @update:model-value="val => savePreference('useDirectCapture', val)" fieldName="useDirectCapture" label="settings.forms.useDirectCapture.label" help="settings.forms.useDirectCapture.help" />
+                        <FormCheckbox v-model="user.preferences.useDirectCapture" @update:model-value="val => savePreference('useDirectCapture', val)" fieldName="useDirectCapture" :isLocked="appSettings.lockedPreferences.includes('useDirectCapture')" label="settings.forms.useDirectCapture.label" help="settings.forms.useDirectCapture.help" />
                         <!-- default capture mode -->
-                        <FormSelect v-model="user.preferences.defaultCaptureMode" @update:model-value="val => savePreference('defaultCaptureMode', val)" :options="captureModes" fieldName="defaultCaptureMode" label="settings.forms.defaultCaptureMode.label" help="settings.forms.defaultCaptureMode.help" :isDisabled="!user.preferences.useDirectCapture" :isIndented="true" />
+                        <FormSelect v-model="user.preferences.defaultCaptureMode" @update:model-value="val => savePreference('defaultCaptureMode', val)" :options="captureModes" fieldName="defaultCaptureMode" :isLocked="appSettings.lockedPreferences.includes('defaultCaptureMode')" :isDisabled="!user.preferences.useDirectCapture" label="settings.forms.defaultCaptureMode.label" help="settings.forms.defaultCaptureMode.help" :isIndented="true" />
                     </div>
                 </form>
             </FormWrapper>
diff --git a/resources/lang/en/settings.php b/resources/lang/en/settings.php
index 1f0398cd..cfd80cb8 100644
--- a/resources/lang/en/settings.php
+++ b/resources/lang/en/settings.php
@@ -43,6 +43,7 @@ return [
     ],
     'make_sure_copy_token' => 'Make sure to copy your personal access token now. You won’t be able to see it again!',
     'data_input' => 'Data input',
+    'settings_managed_by_administrator' => 'Some settings are being managed by your administrator',
     'forms' => [
         'edit_settings' => 'Edit settings',
         'setting_saved' => 'Settings saved',
@@ -58,23 +59,23 @@ return [
             'help' => 'The time zone applied to all dates and times displayed in the application'
         ],
         'show_otp_as_dot' => [
-            'label' => 'Show generated <abbr title="One-Time Password">OTP</abbr> as dot',
+            'label' => 'Show generated OTP as dot',
             'help' => 'Replace generated password characters with *** to ensure confidentiality. Does not affect the copy/paste feature'
         ],
         'reveal_dotted_otp' => [
-            'label' => 'Reveal obscured <abbr title="One-Time Password">OTP</abbr>',
+            'label' => 'Reveal obscured OTP',
             'help' => 'Let the ability to temporarily reveal Dot-Obscured passwords'
         ],
         'close_otp_on_copy' => [
-            'label' => 'Close <abbr title="One-Time Password">OTP</abbr> after copy',
+            'label' => 'Close OTP after copy',
             'help' => 'Click on a generated password to copy it automatically hides it from the screen'
         ],
         'show_next_otp' => [
-            'label' => 'Show next <abbr title="One-Time Password">OTP</abbr>',
+            'label' => 'Show next OTP',
             'help' => 'Preview the next password, i.e. the password that will replace the current password when it expires. Preferences set for the current OTP also apply to the next one (formatting, show as dot)'
         ],
         'auto_close_timeout' => [
-            'label' => 'Auto close <abbr title="One-Time Password">OTP</abbr>',
+            'label' => 'Auto close OTP',
             'help' => 'Automatically hide on-screen password after a timeout. This avoids unnecessary requests for fresh passwords if you forget to close the password view.'
         ],
         'clear_search_on_copy' => [
@@ -86,7 +87,7 @@ return [
             'help' => 'When invoked, force the Sort function to sort accounts on a case-sensitive basis'
         ],
         'copy_otp_on_display' => [
-            'label' => 'Copy <abbr title="One-Time Password">OTP</abbr> on display',
+            'label' => 'Copy OTP on display',
             'help' => 'Automatically copy a generated password right after it appears on screen. Due to browsers limitations, only the first <abbr title="Time-based One-Time Password">TOTP</abbr> password will be copied, not the rotating ones'
         ],
         'use_basic_qrcode_reader' => [
diff --git a/resources/lang/en/twofaccounts.php b/resources/lang/en/twofaccounts.php
index 2ab204dc..37ca1029 100644
--- a/resources/lang/en/twofaccounts.php
+++ b/resources/lang/en/twofaccounts.php
@@ -78,7 +78,7 @@ return [
         ],
         'plain_text' => 'Plain text',
         'otp_type' => [
-            'label' => 'Choose the type of <abbr title="One-Time Password">OTP</abbr> to create',
+            'label' => 'Choose the type of OTP to create',
             'help' => 'Time-based OTP or HMAC-based OTP or Steam OTP'
         ],
         'digits' => [
diff --git a/resources/views/landing.blade.php b/resources/views/landing.blade.php
index 996045dd..f22b1bfe 100644
--- a/resources/views/landing.blade.php
+++ b/resources/views/landing.blade.php
@@ -27,6 +27,7 @@
         var appConfig = {!! $appConfig !!};
         var urls = {!! $urls !!};
         var defaultPreferences = {!! $defaultPreferences->toJson() !!};
+        var lockedPreferences = {!! $lockedPreferences->toJson() !!};
         var appVersion = '{{ config("2fauth.version") }}';
         var isDemoApp = {!! $isDemoApp !!};
         var isTestingApp = {!! $isTestingApp !!};
diff --git a/tests/Api/v1/Controllers/Auth/UserControllerTest.php b/tests/Api/v1/Controllers/Auth/UserControllerTest.php
index e7190d77..9242b48b 100644
--- a/tests/Api/v1/Controllers/Auth/UserControllerTest.php
+++ b/tests/Api/v1/Controllers/Auth/UserControllerTest.php
@@ -24,6 +24,7 @@ class UserControllerTest extends FeatureTestCase
     private const PREFERENCE_JSON_STRUCTURE = [
         'key',
         'value',
+        'locked',
     ];
 
     public function setUp() : void
@@ -62,7 +63,7 @@ class UserControllerTest extends FeatureTestCase
     }
 
     #[Test]
-    public function test_allPreferences_returns_preferences_with_default_values()
+    public function test_allPreferences_returns_preferences_with_default_config_values()
     {
         $response = $this->actingAs($this->user, 'api-guard')
             ->json('GET', '/api/v1/user/preferences')
@@ -108,7 +109,7 @@ class UserControllerTest extends FeatureTestCase
     }
 
     #[Test]
-    public function test_showPreference_returns_preference_with_default_value()
+    public function test_showPreference_returns_preference_with_default_config_value()
     {
         /**
          * @var \App\Models\User|\Illuminate\Contracts\Auth\Authenticatable
@@ -121,6 +122,28 @@ class UserControllerTest extends FeatureTestCase
             ->assertExactJson([
                 'key'   => 'showOtpAsDot',
                 'value' => config('2fauth.preferences.showOtpAsDot'),
+                'locked' => false,
+            ]);
+    }
+
+    #[Test]
+    public function test_showPreference_returns_preference_with_locked_default_env_value()
+    {
+        // See .env.testing which sets USERPREF_DEFAULT__THEME=light
+        // while config/2fauth.php sets the default value to 'system' 
+
+        /**
+         * @var \App\Models\User|\Illuminate\Contracts\Auth\Authenticatable
+         */
+        $this->user = User::factory()->create();
+
+        $response = $this->actingAs($this->user, 'api-guard')
+            ->json('GET', '/api/v1/user/preferences/theme')
+            ->assertOk()
+            ->assertExactJson([
+                'key'   => 'theme',
+                'value' => 'light',
+                'locked' => true,
             ]);
     }
 
@@ -190,4 +213,16 @@ class UserControllerTest extends FeatureTestCase
             ])
             ->assertStatus(422);
     }
+
+    #[Test]
+    public function test_setPreference_on_locked_preference_returns_forbidden()
+    {
+        // See .env.testing which sets USERPREF_LOCKED__THEME=true
+        $response = $this->actingAs($this->user, 'api-guard')
+            ->json('PUT', '/api/v1/user/preferences/theme', [
+                'key'   => 'theme',
+                'value' => 'system',
+            ])
+            ->assertStatus(403);
+    }
 }
diff --git a/tests/Unit/HelpersTest.php b/tests/Unit/HelpersTest.php
index f713d821..242d19f1 100644
--- a/tests/Unit/HelpersTest.php
+++ b/tests/Unit/HelpersTest.php
@@ -218,4 +218,42 @@ class HelpersTest extends TestCase
             ],
         ];
     }
+
+    #[Test]
+    public function test_lockedPreferences_returns_locked_preferences()
+    {
+        // See .env.testing which sets USERPREF_DEFAULT__THEME=light
+        // while config/2fauth.php sets the default value to 'system' 
+        $lockedPreferences = Helpers::lockedPreferences(config('2fauth.preferences'));
+
+        $this->assertContains('theme', $lockedPreferences);
+    }
+
+    #[Test]
+    public function test_lockedPreferences_returns_empty_array_when_empty_array_is_provided()
+    {
+        $param = [];
+
+        $lockedPreferences = Helpers::lockedPreferences($param);
+
+        $this->assertEquals([], $lockedPreferences);
+    }
+
+    #[Test]
+    public function test_lockedPreferences_excludes_preference_when_env_var_is_empty()
+    {
+        // See .env.testing which sets USERPREF_LOCKED__DISPLAY_MODE=
+        $lockedPreferences = Helpers::lockedPreferences(config('2fauth.preferences'));
+
+        $this->assertNotContains('displayMode', $lockedPreferences);
+    }
+
+    #[Test]
+    public function test_lockedPreferences_excludes_preference_when_env_var_is_malformed()
+    {
+        // See .env.testing which sets USERPREF_LOCKED___FORMAT_PASSWORD=false
+        $lockedPreferences = Helpers::lockedPreferences(config('2fauth.preferences'));
+
+        $this->assertNotContains('formatPassword', $lockedPreferences);
+    }
 }
diff --git a/vite.version.js b/vite.version.js
index 31ccc362..71ab80fd 100644
--- a/vite.version.js
+++ b/vite.version.js
@@ -12,6 +12,6 @@ const parser = new Engine({
 
 const phpFile = fs.readFileSync("./config/2fauth.php")
 const phpContent = parser.parseCode(phpFile)
-const version = phpContent.children[0].expr.items[0].value.value
+const version = phpContent.children[4].expr.items[0].value.value
 
 export default version
\ No newline at end of file