Commit 80ff81fd authored by Kostas Papadimitriou's avatar Kostas Papadimitriou
Browse files

Prevent changes of readonly user profile fields

some user profile properties require special actions to be performed by
the user in order to be altered. Additional workflows are provided for
these properties to be changed (e.g. email verification urls/views for
user to change his email address) and thus should be considered
immutable by the user profile form.

Setting the readonly attribute on those field widgets is not enough
since it only takes care of their immutability on the client/presentation
layer and does not ensure that the corresponding profile attribute won't
be overridden if found in the POST dictionary passed during the form

To fix this we override the respective clean_<field> methods and force
them to return the currently stored value regardless if the user
requested to change it (e.g. with a handcrafted POST request).

parent 605aed13
......@@ -452,6 +452,18 @@ class ProfileForm(forms.ModelForm):
for field in ro_fields:
self.fields[field].widget.attrs['readonly'] = True
def clean_email(self):
def clean_auth_token(self):
return self.instance.auth_token
def clean_auth_token_expires(self):
return self.instance.auth_token_expires
def clean_uuid(self):
return self.instance.uuid
def save(self, commit=True):
user = super(ProfileForm, self).save(commit=False)
user.is_verified = True
......@@ -1000,7 +1012,6 @@ class ExtendedProfileForm(ProfileForm):
del self.fields['change_password']
if EMAILCHANGE_ENABLED and self.instance.can_change_email():
self.email_change = True
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment