Update code to manage users from external modules (#7445)

* Update code to manage users from external modules

* Check POST data on load HForm

* Check POST data on load HForm

* Revert init AuthClientUserService

CHANGELOG.md

@@ -17,6 +17,7 @@ HumHub Changelog
 - Enh #7424: New event on get registration groups
 - Enh #7437: Add beforeInitCallback `humhub.ui.picker`
 - Fix #7441: Hide "Remember me" option on mobile app
+- Enh #7408: Update code to manage users from external modules
 
 1.17.0 (January 13, 2025)
 -------------------------

protected/humhub/compat/HForm.php

@@ -69,11 +69,12 @@ class HForm extends \yii\base\Component
     {
         if (Yii::$app->request->method == 'POST') {
             if ($buttonName == "" || isset($_POST[$buttonName])) {
+                $allowedPostData = $this->getAllowedPostData();
                 foreach ($this->models as $model) {
-                    $model->load(Yii::$app->request->post());
+                    $model->load($allowedPostData);
                 }
                 if ($this->primaryModel !== null) {
-                    $this->primaryModel->load(Yii::$app->request->post());
+                    $this->primaryModel->load($allowedPostData);
                 }
                 return true;
             }
@@ -84,6 +85,32 @@ class HForm extends \yii\base\Component
         return false;
     }
 
+    protected function getAllowedPostData(): array
+    {
+        $post = Yii::$app->request->post();
+
+        foreach ($this->models as $modelName => $model) {
+            $className = substr(strrchr(get_class($model), '\\'), 1);
+            if (!isset($post[$className])) {
+                continue;
+            }
+            if (!isset($this->definition['elements'][$modelName])) {
+                // Remove post data of the object if no definition
+                unset($post[$className]);
+            }
+            if (isset($this->definition['elements'][$modelName]['elements'])) {
+                foreach ($this->definition['elements'][$modelName]['elements'] as $elementName => $element) {
+                    if (!empty($element['readonly']) && isset($post[$className][$elementName])) {
+                        // Remove a readonly field from the POST data
+                        unset($post[$className][$elementName]);
+                    }
+                }
+            }
+        }
+
+        return $post;
+    }
+
     public function validate()
     {
         $hasErrors = false;

protected/humhub/modules/admin/controllers/GroupController.php

@@ -132,7 +132,7 @@ class GroupController extends Controller
         $group = Group::findOne(['id' => Yii::$app->request->get('id')]);
         $this->checkGroupAccess($group);
 
-        $searchModel = new UserSearch();
+        $searchModel = Yii::createObject(UserSearch::class);
         $searchModel->query = $group->getUsers();
         $dataProvider = $searchModel->search(Yii::$app->request->queryParams);
         return $this->render('members', [

protected/humhub/modules/admin/controllers/UserController.php

@@ -83,7 +83,7 @@ class UserController extends Controller
      */
     public function actionList()
     {
-        $searchModel = new UserSearch();
+        $searchModel = Yii::createObject(UserSearch::class);
         $searchModel->status = User::STATUS_ENABLED;
         $dataProvider = $searchModel->search(Yii::$app->request->queryParams);
         $showPendingRegistrations = Invite::find()->where(Invite::filterSource())->exists() &&
@@ -390,7 +390,7 @@ class UserController extends Controller
      */
     public function actionExport($format)
     {
-        $searchModel = new UserSearch();
+        $searchModel = Yii::createObject(UserSearch::class);
         $dataProvider = $searchModel->search(Yii::$app->request->queryParams);
 
         $exporter = new SpreadsheetExport([