Unless I'm missing something, this module does NOT allow an administrator to disallow modification of user account/profile fields.

It alters the account/profile forms to give the impression that some fields can't be edited, but there is nothing server-side to prevent the user simply editing the form markup and submitting whatever edits they want.

I think this should be made clear in the documentation, because people may assume otherwise.

Many thanks.

Comments

deekayen’s picture

deekayen commented
Status: Active » Closed (works as designed)

I used the Web Developer addon for Firefox to enable the disabled fields, submitted a change, and it kept the value. Sounds like you haven't tried it.

stephandale’s picture

stephandale commented

Sorry I've only just got back to you - I was expecting some kind of alert.

I'm afraid I'm correct, though I sincerely hope I've made some kind of mistake.

If you're referring to the "enable form fields" option on the web developer toolbar, this simply enables the field. However, the value is set from a hidden field that the module adds to the form. There are in fact two ways you can change the value of a "restricted" field...

1. Remove the hidden field then enable and edit the original field.
2. Edit the hidden field.

Either way it's straightforward to circumvent the "restriction".

stephandale’s picture

stephandale commented
Component: Documentation » Code
Priority: Normal » Critical
Status: Closed (works as designed) » Active

I'm changing the status of this because it's important and I've not had a response for several weeks. I've changed the component to 'code' because it seems you expect there to be no security hole in the code. Finally, priority is 'critical' because people may be using this to make sensitive information read only when they're actually not!

Bastlynn’s picture

Bastlynn commented
Status: Active » Closed (fixed)

This has been addressed with 7.x-1.0 , see http://drupal.org/node/1153092

The hidden field forms are dropped entirely, in favor of using #value, which hard sets the form value on the server end of things during form creations. Let me know if you run into any trouble with it.

This has also been backported to 6.x, see http://drupal.org/node/1153112

I will not be backporting this to versions earlier than 6.