MDL-53954 user: Prevent locked profile fields from being edited

2025-04-23 17:34:56 +02:00 · 2016-04-28 17:59:53 +08:00 · 2016-04-28 17:59:53 +08:00 · da1296dd07
commit da1296dd07
parent e90e0ea570
3 changed files with 19 additions and 3 deletions
--- a/user/edit_form.php
+++ b/user/edit_form.php
@ -131,6 +131,7 @@ class user_edit_form extends moodleform {
            $fields = get_user_fieldnames();
            $authplugin = get_auth_plugin($user->auth);
            $customfields = $authplugin->get_custom_user_profile_fields();
+            $customfieldsdata = profile_user_record($userid, false);
            $fields = array_merge($fields, $customfields);
            foreach ($fields as $field) {
                if ($field === 'description') {
@ -142,7 +143,15 @@ class user_edit_form extends moodleform {
                if (!$mform->elementExists($formfield)) {
                    continue;
                }
-                $value = $mform->getElement($formfield)->exportValue($mform->getElementValue($formfield)) ?: '';
+
+                // Get the original value for the field.
+                if (in_array($field, $customfields)) {
+                    $key = str_replace('profile_field_', '', $field);
+                    $value = isset($customfieldsdata->{$key}) ? $customfieldsdata->{$key} : '';
+                } else {
+                    $value = $user->{$field};
+                }
+
                $configvariable = 'field_lock_' . $field;
                if (isset($authplugin->config->{$configvariable})) {
                    if ($authplugin->config->{$configvariable} === 'locked') {
--- a/user/profile/lib.php
+++ b/user/profile/lib.php
@ -561,9 +561,10 @@ function profile_signup_fields($mform) {
 /**
 * Returns an object with the custom profile fields set for the given user
 * @param integer $userid
+ * @param bool $onlyinuserobject True if you only want the ones in $USER.
 * @return stdClass
 */
-function profile_user_record($userid) {
+function profile_user_record($userid, $onlyinuserobject = true) {
    global $CFG, $DB;

    $usercustomfields = new stdClass();
@ -573,7 +574,7 @@ function profile_user_record($userid) {
            require_once($CFG->dirroot.'/user/profile/field/'.$field->datatype.'/field.class.php');
            $newfield = 'profile_field_'.$field->datatype;
            $formfield = new $newfield($field->id, $userid);
-            if ($formfield->is_user_object_data()) {
+            if (!$onlyinuserobject || $formfield->is_user_object_data()) {
                $usercustomfields->{$field->shortname} = $formfield->data;
            }
        }
--- a/user/tests/profilelib_test.php
+++ b/user/tests/profilelib_test.php
@ -62,6 +62,9 @@ class core_user_profilelib_testcase extends advanced_testcase {
        // Check that profile_user_record returns same (no) fields.
        $this->assertObjectNotHasAttribute('frogdesc', profile_user_record($user->id));

+        // Check that profile_user_record returns all the fields when requested.
+        $this->assertObjectHasAttribute('frogdesc', profile_user_record($user->id, false));
+
        // Add another custom field, this time of normal text type.
        $id2 = $DB->insert_record('user_info_field', array(
                'shortname' => 'frogname', 'name' => 'Name of frog', 'categoryid' => 1,
@ -77,6 +80,9 @@ class core_user_profilelib_testcase extends advanced_testcase {

        // Check profile_user_record returns same field.
        $this->assertObjectHasAttribute('frogname', profile_user_record($user->id));
+
+        // Check that profile_user_record returns all the fields when requested.
+        $this->assertObjectHasAttribute('frogname', profile_user_record($user->id, false));
    }

    /**