Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-18265

User profile fields are overwritten by default value when user updates profile even if it's locked

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.8.8, 1.9.4
    • Fix Version/s: 1.8.9, 1.9.5
    • Component/s: Authentication
    • Labels:
      None
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE

      Description

      Following scenario

      • user profile field created
      • defaullt value for user profile field specified
      • user profile field locked
      • user profile field visible to user

      With these properties set, when a user edits the profile following happens

      • instead of displaying the actual value of the user profile field, the default value ist displayed in the form
      • when user saves the profile, the default value replaces the actual value of the user profile field

      So these are actually two bugs, but the second bug could be a security issue, because the Capabilities of the user aren't respected (prevent from updating the user profile field, even if it's locked)

      This bug is reproducable (tested on two different systems)

      The issue could be there (/user/profile/field/lib.php)

      function edit_field_set_locked(&$mform) {
      if ($this->is_locked() and !has_capability('moodle/user:update', get_context_instance(CONTEXT_SYSTEM)))

      { $mform->hardFreeze($this->inputname); $mform->setConstant($this->inputname, $this->data); }

      }

      and there (/user/profile/field/lib.php)

      function edit_field_set_default(&$mform) {
      if (!empty($default))

      { $mform->setDefault($this->inputname, $this->field->defaultdata); }

      }

        Attachments

        1. edit_profile.gif
          12 kB
          David Bogner
        2. field_menu_lock.patch
          1 kB
          Vlas Voloshin
        3. user_progile_editing.gif
          34 kB
          David Bogner

          Activity

            People

            Assignee:
            skodak Petr Skoda
            Reporter:
            dasistwas David Bogner
            Tester:
            Jérôme Mouneyrac Jérôme Mouneyrac
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              13/May/09