Commit fada0691 authored by Frederic Massart's avatar Frederic Massart Committed by Andrew Nicols

MDL-53954 user: Prevent locked profile fields from being edited

parent 7873e36f
......@@ -133,6 +133,7 @@ class user_edit_form extends moodleform {
$fields = get_user_fieldnames();
$authplugin = get_auth_plugin($user->auth);
$customfields = $authplugin->get_custom_user_profile_fields();
$customfieldsdata = profile_user_record($userid, false);
$fields = array_merge($fields, $customfields);
foreach ($fields as $field) {
if ($field === 'description') {
......@@ -144,7 +145,15 @@ class user_edit_form extends moodleform {
if (!$mform->elementExists($formfield)) {
continue;
}
$value = $mform->getElement($formfield)->exportValue($mform->getElementValue($formfield)) ?: '';
// Get the original value for the field.
if (in_array($field, $customfields)) {
$key = str_replace('profile_field_', '', $field);
$value = isset($customfieldsdata->{$key}) ? $customfieldsdata->{$key} : '';
} else {
$value = $user->{$field};
}
$configvariable = 'field_lock_' . $field;
if (isset($authplugin->config->{$configvariable})) {
if ($authplugin->config->{$configvariable} === 'locked') {
......
......@@ -551,9 +551,10 @@ function profile_signup_fields($mform) {
/**
* Returns an object with the custom profile fields set for the given user
* @param integer $userid
* @param bool $onlyinuserobject True if you only want the ones in $USER.
* @return stdClass
*/
function profile_user_record($userid) {
function profile_user_record($userid, $onlyinuserobject = true) {
global $CFG, $DB;
$usercustomfields = new stdClass();
......@@ -563,7 +564,7 @@ function profile_user_record($userid) {
require_once($CFG->dirroot.'/user/profile/field/'.$field->datatype.'/field.class.php');
$newfield = 'profile_field_'.$field->datatype;
$formfield = new $newfield($field->id, $userid);
if ($formfield->is_user_object_data()) {
if (!$onlyinuserobject || $formfield->is_user_object_data()) {
$usercustomfields->{$field->shortname} = $formfield->data;
}
}
......
......@@ -62,6 +62,9 @@ class core_user_profilelib_testcase extends advanced_testcase {
// Check that profile_user_record returns same (no) fields.
$this->assertObjectNotHasAttribute('frogdesc', profile_user_record($user->id));
// Check that profile_user_record returns all the fields when requested.
$this->assertObjectHasAttribute('frogdesc', profile_user_record($user->id, false));
// Add another custom field, this time of normal text type.
$id2 = $DB->insert_record('user_info_field', array(
'shortname' => 'frogname', 'name' => 'Name of frog', 'categoryid' => 1,
......@@ -77,6 +80,9 @@ class core_user_profilelib_testcase extends advanced_testcase {
// Check profile_user_record returns same field.
$this->assertObjectHasAttribute('frogname', profile_user_record($user->id));
// Check that profile_user_record returns all the fields when requested.
$this->assertObjectHasAttribute('frogname', profile_user_record($user->id, false));
}
/**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment