diff --git a/Dockerfile b/Dockerfile
index 526252f6e1e3759f2c3585ac05c8c437ea22d451..d38dcf488b6bd18ee682cb50a9bb6a17d873d0a2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,7 @@ ARG EA_JOB_ID="644363"
 ARG LAUNCHER_JOB_ID="651032"
 ARG GOOGLE_INTEGRATION_VERSION="1.0.9"
 ARG DASHBOARD_JOB_ID="651040"
-ARG SNAPPY_VERSION="2.28.1"
+ARG SNAPPY_VERSION="2.29.1"
 ARG SNAPPY_THEME_VERSION="2.0.8"
 ARG USER_MIGRATION_JOB_ID="608716"
 ARG MEMORIES_VERSION="5.4.1"
@@ -207,6 +207,7 @@ RUN cd ${BASE_DIR} && patch -u ${BASE_DIR}/apps/user_ldap/lib/User_LDAP.php -i $
 RUN patch -u ${BASE_DIR}/lib/private/User/Manager.php -i ${TMP_PATCH_DIR}/025-optimize-get-by-email.patch
 RUN patch -u ${BASE_DIR}/apps/dav/lib/Connector/Sabre/Principal.php -i ${TMP_PATCH_DIR}/027-displayname-user-leak-dav.patch
 RUN patch -u ${BASE_DIR}/apps/dav/lib/HookManager.php -i ${TMP_PATCH_DIR}/028-default-task-calendar.patch
+RUN patch -u ${BASE_DIR}/apps/provisioning_api/lib/Controller/UsersController.php -i ${TMP_PATCH_DIR}/029-restrict-user-to-change-primary-email.patch
 RUN rm -rf ${TMP_PATCH_DIR}
 
 RUN curl -fsSL -o ldap_write_support.tar.gz \
diff --git a/patches/029-restrict-user-to-change-primary-email.patch b/patches/029-restrict-user-to-change-primary-email.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f2e215da49b69e9662f736b1ed638cfd1ba8ca51
--- /dev/null
+++ b/patches/029-restrict-user-to-change-primary-email.patch
@@ -0,0 +1,28 @@
+--- ./apps/provisioning_api/lib/Controller/UsersController.php	2023-10-03 07:14:02
++++ ./apps/provisioning_api/lib/Controller/UsersController-new.php	2023-10-11 05:34:04
+@@ -613,10 +613,7 @@
+ 			) {
+ 				$permittedFields[] = IAccountManager::PROPERTY_DISPLAYNAME;
+ 			}
+-			$permittedFields[] = IAccountManager::PROPERTY_EMAIL;
+ 		}
+-
+-		$permittedFields[] = IAccountManager::COLLECTION_EMAIL;
+ 		$permittedFields[] = IAccountManager::PROPERTY_PHONE;
+ 		$permittedFields[] = IAccountManager::PROPERTY_ADDRESS;
+ 		$permittedFields[] = IAccountManager::PROPERTY_WEBSITE;
+@@ -756,14 +753,9 @@
+ 					$permittedFields[] = self::USER_FIELD_DISPLAYNAME;
+ 					$permittedFields[] = IAccountManager::PROPERTY_DISPLAYNAME;
+ 				}
+-				$permittedFields[] = IAccountManager::PROPERTY_EMAIL;
+ 			}
+ 
+ 			$permittedFields[] = IAccountManager::PROPERTY_DISPLAYNAME . self::SCOPE_SUFFIX;
+-			$permittedFields[] = IAccountManager::PROPERTY_EMAIL . self::SCOPE_SUFFIX;
+-
+-			$permittedFields[] = IAccountManager::COLLECTION_EMAIL;
+-
+ 			$permittedFields[] = self::USER_FIELD_PASSWORD;
+ 			$permittedFields[] = self::USER_FIELD_NOTIFICATION_EMAIL;
+ 			if (