From da1296dd074011a09897754a0d1af36dcc0482c1 Mon Sep 17 00:00:00 2001 From: Frederic Massart Date: Thu, 28 Apr 2016 17:59:53 +0800 Subject: [PATCH] MDL-53954 user: Prevent locked profile fields from being edited --- user/edit_form.php | 11 ++++++++++- user/profile/lib.php | 5 +++-- user/tests/profilelib_test.php | 6 ++++++ 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/user/edit_form.php b/user/edit_form.php index 3eb12c88df9..5bf35a9d9e4 100644 --- a/user/edit_form.php +++ b/user/edit_form.php @@ -131,6 +131,7 @@ class user_edit_form extends moodleform { $fields = get_user_fieldnames(); $authplugin = get_auth_plugin($user->auth); $customfields = $authplugin->get_custom_user_profile_fields(); + $customfieldsdata = profile_user_record($userid, false); $fields = array_merge($fields, $customfields); foreach ($fields as $field) { if ($field === 'description') { @@ -142,7 +143,15 @@ class user_edit_form extends moodleform { if (!$mform->elementExists($formfield)) { continue; } - $value = $mform->getElement($formfield)->exportValue($mform->getElementValue($formfield)) ?: ''; + + // Get the original value for the field. + if (in_array($field, $customfields)) { + $key = str_replace('profile_field_', '', $field); + $value = isset($customfieldsdata->{$key}) ? $customfieldsdata->{$key} : ''; + } else { + $value = $user->{$field}; + } + $configvariable = 'field_lock_' . $field; if (isset($authplugin->config->{$configvariable})) { if ($authplugin->config->{$configvariable} === 'locked') { diff --git a/user/profile/lib.php b/user/profile/lib.php index 41470bbbd4e..d38bbe8174c 100644 --- a/user/profile/lib.php +++ b/user/profile/lib.php @@ -561,9 +561,10 @@ function profile_signup_fields($mform) { /** * Returns an object with the custom profile fields set for the given user * @param integer $userid + * @param bool $onlyinuserobject True if you only want the ones in $USER. * @return stdClass */ -function profile_user_record($userid) { +function profile_user_record($userid, $onlyinuserobject = true) { global $CFG, $DB; $usercustomfields = new stdClass(); @@ -573,7 +574,7 @@ function profile_user_record($userid) { require_once($CFG->dirroot.'/user/profile/field/'.$field->datatype.'/field.class.php'); $newfield = 'profile_field_'.$field->datatype; $formfield = new $newfield($field->id, $userid); - if ($formfield->is_user_object_data()) { + if (!$onlyinuserobject || $formfield->is_user_object_data()) { $usercustomfields->{$field->shortname} = $formfield->data; } } diff --git a/user/tests/profilelib_test.php b/user/tests/profilelib_test.php index 7e3eab32eae..6e24e0ebdeb 100644 --- a/user/tests/profilelib_test.php +++ b/user/tests/profilelib_test.php @@ -62,6 +62,9 @@ class core_user_profilelib_testcase extends advanced_testcase { // Check that profile_user_record returns same (no) fields. $this->assertObjectNotHasAttribute('frogdesc', profile_user_record($user->id)); + // Check that profile_user_record returns all the fields when requested. + $this->assertObjectHasAttribute('frogdesc', profile_user_record($user->id, false)); + // Add another custom field, this time of normal text type. $id2 = $DB->insert_record('user_info_field', array( 'shortname' => 'frogname', 'name' => 'Name of frog', 'categoryid' => 1, @@ -77,6 +80,9 @@ class core_user_profilelib_testcase extends advanced_testcase { // Check profile_user_record returns same field. $this->assertObjectHasAttribute('frogname', profile_user_record($user->id)); + + // Check that profile_user_record returns all the fields when requested. + $this->assertObjectHasAttribute('frogname', profile_user_record($user->id, false)); } /**