MDL-53954 user: Prevent locked profile fields from being edited

fada0691 · Frederic Massart · Andrew Nicols · 7873e36f · fada0691 · fada0691
Commit fada0691 authored Apr 28, 2016 by Frederic Massart Committed by Andrew Nicols May 06, 2016
--- a/user/edit_form.php
+++ b/user/edit_form.php
@@ -133,6 +133,7 @@ class user_edit_form extends moodleform {
            $fields = get_user_fieldnames();
            $authplugin = get_auth_plugin($user->auth);
            $customfields = $authplugin->get_custom_user_profile_fields();
+            $customfieldsdata = profile_user_record($userid, false);
            $fields = array_merge($fields, $customfields);
            foreach ($fields as $field) {
                if ($field === 'description') {
@@ -144,7 +145,15 @@ class user_edit_form extends moodleform {
                if (!$mform->elementExists($formfield)) {
                    continue;
                }
-                $value = $mform->getElement($formfield)->exportValue($mform->getElementValue($formfield)) ?: '';
+
+                // Get the original value for the field.
+                if (in_array($field, $customfields)) {
+                    $key = str_replace('profile_field_', '', $field);
+                    $value = isset($customfieldsdata->{$key}) ? $customfieldsdata->{$key} : '';
+                } else {
+                    $value = $user->{$field};
+                }
+
                $configvariable = 'field_lock_' . $field;
                if (isset($authplugin->config->{$configvariable})) {
                    if ($authplugin->config->{$configvariable} === 'locked') {

--- a/user/profile/lib.php
+++ b/user/profile/lib.php
@@ -551,9 +551,10 @@ function profile_signup_fields($mform) {
 /**
 * Returns an object with the custom profile fields set for the given user
 * @param integer $userid
+ * @param bool $onlyinuserobject True if you only want the ones in $USER.
 * @return stdClass
 */
-function profile_user_record($userid) {
+function profile_user_record($userid, $onlyinuserobject = true) {
    global $CFG, $DB;

    $usercustomfields = new stdClass();
@@ -563,7 +564,7 @@ function profile_user_record($userid) {
            require_once($CFG->dirroot.'/user/profile/field/'.$field->datatype.'/field.class.php');
            $newfield = 'profile_field_'.$field->datatype;
            $formfield = new $newfield($field->id, $userid);
-            if ($formfield->is_user_object_data()) {
+            if (!$onlyinuserobject || $formfield->is_user_object_data()) {
                $usercustomfields->{$field->shortname} = $formfield->data;
            }
        }

--- a/user/tests/profilelib_test.php
+++ b/user/tests/profilelib_test.php
@@ -62,6 +62,9 @@ class core_user_profilelib_testcase extends advanced_testcase {
        // Check that profile_user_record returns same (no) fields.
        $this->assertObjectNotHasAttribute('frogdesc', profile_user_record($user->id));

+        // Check that profile_user_record returns all the fields when requested.
+        $this->assertObjectHasAttribute('frogdesc', profile_user_record($user->id, false));
+
        // Add another custom field, this time of normal text type.
        $id2 = $DB->insert_record('user_info_field', array(
                'shortname' => 'frogname', 'name' => 'Name of frog', 'categoryid' => 1,
@@ -77,6 +80,9 @@ class core_user_profilelib_testcase extends advanced_testcase {

        // Check profile_user_record returns same field.
        $this->assertObjectHasAttribute('frogname', profile_user_record($user->id));
+
+        // Check that profile_user_record returns all the fields when requested.
+        $this->assertObjectHasAttribute('frogname', profile_user_record($user->id, false));
    }

    /**