[#MDL-18265] User profile fields are overwritten by default value when user updates profile even if it's locked - Moodle Tracker

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.8.8, 1.9.4
Fix Version/s: 1.8.9, 1.9.5
Component/s: Authentication
Labels:
None

Difficulty:
Easy
Affected Branches:
MOODLE_18_STABLE, MOODLE_19_STABLE
Fixed Branches:
MOODLE_18_STABLE, MOODLE_19_STABLE

Description

Following scenario

user profile field created
defaullt value for user profile field specified
user profile field locked
user profile field visible to user

With these properties set, when a user edits the profile following happens

instead of displaying the actual value of the user profile field, the default value ist displayed in the form
when user saves the profile, the default value replaces the actual value of the user profile field

So these are actually two bugs, but the second bug could be a security issue, because the Capabilities of the user aren't respected (prevent from updating the user profile field, even if it's locked)

This bug is reproducable (tested on two different systems)

The issue could be there (/user/profile/field/lib.php)

function edit_field_set_locked(&$mform) {
if ($this->is_locked() and !has_capability('moodle/user:update', get_context_instance(CONTEXT_SYSTEM))) { $mform->hardFreeze($this->inputname); $mform->setConstant($this->inputname, $this->data); }
}

and there (/user/profile/field/lib.php)

function edit_field_set_default(&$mform) {
if (!empty($default)) { $mform->setDefault($this->inputname, $this->field->defaultdata); }
}

More Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

field_menu_lock.patch

10/Mar/09 7:24 PM

1 kB

Vlas Voloshin

edit_profile.gif

12 kB

25/Feb/09 11:43 PM
user_progile_editing.gif

34 kB

25/Feb/09 11:43 PM

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

David Bogner added a comment - 25/Feb/09 11:43 PM

First picture are the settings of the specific user profile field
The second picture shows the default vaule displayed in user/edit.php. When the user profile is updated the actual value of user profile field is overwritten by default value

Show

David Bogner added a comment - 25/Feb/09 11:43 PM First picture are the settings of the specific user profile field The second picture shows the default vaule displayed in user/edit.php. When the user profile is updated the actual value of user profile field is overwritten by default value

Hide

Permalink

David Bogner added a comment - 01/Mar/09 2:58 AM

There is a discussion concerning the bug there: http://moodle.org/mod/forum/discuss.php?d=117357

Show

David Bogner added a comment - 01/Mar/09 2:58 AM There is a discussion concerning the bug there: http://moodle.org/mod/forum/discuss.php?d=117357

Hide

Permalink

Anthony Borrow added a comment - 02/Mar/09 4:41 PM

I've not confirmed this but I am bumping the priority because it results in a loss of data. Peace - Anthony

Show

Anthony Borrow added a comment - 02/Mar/09 4:41 PM I've not confirmed this but I am bumping the priority because it results in a loss of data. Peace - Anthony

Hide

Permalink

Vlas Voloshin added a comment - 06/Mar/09 10:10 PM

It seems I've solved the issue, see http://moodle.org/mod/forum/discuss.php?d=117357#p518127 for details. Shortly, setConstant sets element to invalid value, which is field's default. The reasonable solution is to comment out or delete that line in /user/profile/field/lib.php. I don't think that setConstant is needed after hardFreeze at all, but I'm not sure.

Show

Vlas Voloshin added a comment - 06/Mar/09 10:10 PM It seems I've solved the issue, see http://moodle.org/mod/forum/discuss.php?d=117357#p518127 for details. Shortly, setConstant sets element to invalid value, which is field's default. The reasonable solution is to comment out or delete that line in /user/profile/field/lib.php. I don't think that setConstant is needed after hardFreeze at all, but I'm not sure.

Hide

Permalink

Petr Škoda (skodak) added a comment - 06/Mar/09 10:39 PM

constants and freezing is kind of broken in current formslib
going to have a look at this next week

Show

Petr Škoda (skodak) added a comment - 06/Mar/09 10:39 PM constants and freezing is kind of broken in current formslib

going to have a look at this next week

Hide

Permalink

Vlas Voloshin added a comment - 06/Mar/09 11:00 PM

Well, that's a pity Hope my solution will do the trick, at least temporary, for those who are interested.

Show

Vlas Voloshin added a comment - 06/Mar/09 11:00 PM Well, that's a pity

Hope my solution will do the trick, at least temporary, for those who are interested.

Hide

Permalink

Petr Škoda (skodak) added a comment - 08/Mar/09 6:05 AM

should be fixed now, I have moved the locking to definition_after_data where userid is known, please test
thanks a lot for the report and all info!

Show

Petr Škoda (skodak) added a comment - 08/Mar/09 6:05 AM should be fixed now, I have moved the locking to definition_after_data where userid is known, please test thanks a lot for the report and all info!

Hide

Permalink

Vlas Voloshin added a comment - 10/Mar/09 7:24 PM

Petr, there's another problem here - as we still use setConstant in edit_field_set_locked, we must redefine this function in derived field classes! This is mostly true for menu, not sure if it's necessary for other field classes.
The problem is here:
$mform->setConstant($this->inputname, $this->data);
but $this->data holds actual profile data. In menu profile field type, we have to set data index, not the actual data:
$mform->setConstant($this->inputname, $this->datakey);
I'm attaching a patch to fix it, hope you'll see this.

Show

Vlas Voloshin added a comment - 10/Mar/09 7:24 PM Petr, there's another problem here - as we still use setConstant in edit_field_set_locked, we must redefine this function in derived field classes! This is mostly true for menu, not sure if it's necessary for other field classes. The problem is here: $mform->setConstant($this->inputname, $this->data); but $this->data holds actual profile data. In menu profile field type, we have to set data index, not the actual data: $mform->setConstant($this->inputname, $this->datakey); I'm attaching a patch to fix it, hope you'll see this.

Hide

Permalink

Petr Škoda (skodak) added a comment - 13/Mar/09 7:22 PM

reopening, yes - this may be a problem, going to have a look at that today - thanks a lot!

Show

Petr Škoda (skodak) added a comment - 13/Mar/09 7:22 PM reopening, yes - this may be a problem, going to have a look at that today - thanks a lot!

Hide

Permalink

Petr Škoda (skodak) added a comment - 15/Mar/09 10:47 PM

Thanks a lot, your patched worked fine - now committed into cvs.

Show

Petr Škoda (skodak) added a comment - 15/Mar/09 10:47 PM Thanks a lot, your patched worked fine - now committed into cvs.

Hide

Permalink

Jerome Mouneyrac added a comment - 24/Mar/09 10:39 AM - edited

Tested on 1.9/1.8 as following:
As admin, create a field with specified settings from the issue description
As admin, set a different field value for a student
As student edit profil, save without changing the field value
=> The default value was neither displayed, neither saved. It works fine.

Thanks everybody

Show

Jerome Mouneyrac added a comment - 24/Mar/09 10:39 AM - edited Tested on 1.9/1.8 as following: As admin, create a field with specified settings from the issue description As admin, set a different field value for a student As student edit profil, save without changing the field value => The default value was neither displayed, neither saved. It works fine. Thanks everybody

People

Assignee:

Petr Škoda (skodak)

Reporter:

David Bogner

Tester:

Jerome Mouneyrac

Participants:

Anthony Borrow, David Bogner, Jerome Mouneyrac, Petr Škoda (skodak), Vlas Voloshin

Vote (1)

Watch (5)

Dates

Created:

16/Feb/09 7:33 AM

Updated:

24/Mar/09 1:04 PM

Resolved:

15/Mar/09 10:47 PM