More user-setting checks.

e107_handlers/user_handler.php

@@ -54,7 +54,7 @@ class UserHandler
 	var $preferred = PASSWORD_DEFAULT_TYPE;			// Preferred password format
 	var $passwordOpts = 0;							// Copy of pref
 	var $passwordEmail = false;						// True if can use email address to log in
-	var $otherFields = array();
+	private $otherFields = array();
 	private $passwordAPI = false;
 
 	// Constructor
@@ -179,6 +179,36 @@ class UserHandler
 	}
 
 
+	/**
+	 * Check if a user posted field is readonly (should not be user-editable) - used in usersettings.php
+	 * @param array $posted
+	 * @return bool
+	 */
+	public function hasReadonlyField($posted)
+	{
+		$restricted = array_keys($this->otherFields);
+
+		$pref = e107::getPref();
+
+		if(empty($pref['signup_option_class']))
+		{
+			$restricted[] = 'user_class';
+		}
+
+		foreach($posted as $k=>$v)
+		{
+			if(in_array($k,$restricted))
+			{
+				return true;
+			}
+		}
+
+		return false;
+
+	}
+
+
+
 	/**
 	 * 	Given plaintext password and login name, generate password string to store in DB
 	 *

usersettings.php

@@ -352,8 +352,9 @@ elseif (isset($_POST['SaveValidatedInfo'])) // Next bit only valid if user editi
 	{	// Got some data confirmed with password entry
 		$new_data = base64_decode($_POST['updated_data']);
 
+
 		 // Should only happen if someone's fooling around
-		if (md5($new_data) != $_POST['updated_key'] || isset($new_data['user_admin']) || isset($new_data['user_perms']))
+		if (md5($new_data) != $_POST['updated_key'] || ($userMethods->hasReadonlyField($new_data) !==false))
 		{
 			echo LAN_USET_42.'<br />';
 			exit();
@@ -812,7 +813,6 @@ function req($field)
 }
 
 
-
 // Delete a file from the public directories. Return TRUE on success, FALSE on failure.
 // Also deletes from database if appropriate.
 function delete_file($fname, $dir = 'avatars/')