Commit fada0691 authored by Frederic Massart's avatar Frederic Massart Committed by Andrew Nicols

MDL-53954 user: Prevent locked profile fields from being edited

parent 7873e36f
...@@ -133,6 +133,7 @@ class user_edit_form extends moodleform { ...@@ -133,6 +133,7 @@ class user_edit_form extends moodleform {
$fields = get_user_fieldnames(); $fields = get_user_fieldnames();
$authplugin = get_auth_plugin($user->auth); $authplugin = get_auth_plugin($user->auth);
$customfields = $authplugin->get_custom_user_profile_fields(); $customfields = $authplugin->get_custom_user_profile_fields();
$customfieldsdata = profile_user_record($userid, false);
$fields = array_merge($fields, $customfields); $fields = array_merge($fields, $customfields);
foreach ($fields as $field) { foreach ($fields as $field) {
if ($field === 'description') { if ($field === 'description') {
...@@ -144,7 +145,15 @@ class user_edit_form extends moodleform { ...@@ -144,7 +145,15 @@ class user_edit_form extends moodleform {
if (!$mform->elementExists($formfield)) { if (!$mform->elementExists($formfield)) {
continue; continue;
} }
$value = $mform->getElement($formfield)->exportValue($mform->getElementValue($formfield)) ?: '';
// Get the original value for the field.
if (in_array($field, $customfields)) {
$key = str_replace('profile_field_', '', $field);
$value = isset($customfieldsdata->{$key}) ? $customfieldsdata->{$key} : '';
} else {
$value = $user->{$field};
}
$configvariable = 'field_lock_' . $field; $configvariable = 'field_lock_' . $field;
if (isset($authplugin->config->{$configvariable})) { if (isset($authplugin->config->{$configvariable})) {
if ($authplugin->config->{$configvariable} === 'locked') { if ($authplugin->config->{$configvariable} === 'locked') {
......
...@@ -551,9 +551,10 @@ function profile_signup_fields($mform) { ...@@ -551,9 +551,10 @@ function profile_signup_fields($mform) {
/** /**
* Returns an object with the custom profile fields set for the given user * Returns an object with the custom profile fields set for the given user
* @param integer $userid * @param integer $userid
* @param bool $onlyinuserobject True if you only want the ones in $USER.
* @return stdClass * @return stdClass
*/ */
function profile_user_record($userid) { function profile_user_record($userid, $onlyinuserobject = true) {
global $CFG, $DB; global $CFG, $DB;
$usercustomfields = new stdClass(); $usercustomfields = new stdClass();
...@@ -563,7 +564,7 @@ function profile_user_record($userid) { ...@@ -563,7 +564,7 @@ function profile_user_record($userid) {
require_once($CFG->dirroot.'/user/profile/field/'.$field->datatype.'/field.class.php'); require_once($CFG->dirroot.'/user/profile/field/'.$field->datatype.'/field.class.php');
$newfield = 'profile_field_'.$field->datatype; $newfield = 'profile_field_'.$field->datatype;
$formfield = new $newfield($field->id, $userid); $formfield = new $newfield($field->id, $userid);
if ($formfield->is_user_object_data()) { if (!$onlyinuserobject || $formfield->is_user_object_data()) {
$usercustomfields->{$field->shortname} = $formfield->data; $usercustomfields->{$field->shortname} = $formfield->data;
} }
} }
......
...@@ -62,6 +62,9 @@ class core_user_profilelib_testcase extends advanced_testcase { ...@@ -62,6 +62,9 @@ class core_user_profilelib_testcase extends advanced_testcase {
// Check that profile_user_record returns same (no) fields. // Check that profile_user_record returns same (no) fields.
$this->assertObjectNotHasAttribute('frogdesc', profile_user_record($user->id)); $this->assertObjectNotHasAttribute('frogdesc', profile_user_record($user->id));
// Check that profile_user_record returns all the fields when requested.
$this->assertObjectHasAttribute('frogdesc', profile_user_record($user->id, false));
// Add another custom field, this time of normal text type. // Add another custom field, this time of normal text type.
$id2 = $DB->insert_record('user_info_field', array( $id2 = $DB->insert_record('user_info_field', array(
'shortname' => 'frogname', 'name' => 'Name of frog', 'categoryid' => 1, 'shortname' => 'frogname', 'name' => 'Name of frog', 'categoryid' => 1,
...@@ -77,6 +80,9 @@ class core_user_profilelib_testcase extends advanced_testcase { ...@@ -77,6 +80,9 @@ class core_user_profilelib_testcase extends advanced_testcase {
// Check profile_user_record returns same field. // Check profile_user_record returns same field.
$this->assertObjectHasAttribute('frogname', profile_user_record($user->id)); $this->assertObjectHasAttribute('frogname', profile_user_record($user->id));
// Check that profile_user_record returns all the fields when requested.
$this->assertObjectHasAttribute('frogname', profile_user_record($user->id, false));
} }
/** /**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment