From 4ea7e153a0f7fbc2b45359f7e116ecb9b24d08bc Mon Sep 17 00:00:00 2001
From: Clark Winkelmann <clark.winkelmann@gmail.com>
Date: Tue, 2 Jan 2018 00:13:33 +0100
Subject: [PATCH 1/3] Prevent editing fields in sign up modal according to
 identification data

---
 framework/core/js/forum/src/components/SignUpModal.js    | 8 ++++++--
 .../core/src/Forum/AuthenticationResponseFactory.php     | 9 ++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/framework/core/js/forum/src/components/SignUpModal.js b/framework/core/js/forum/src/components/SignUpModal.js
index ed0c1362e..3fda244da 100644
--- a/framework/core/js/forum/src/components/SignUpModal.js
+++ b/framework/core/js/forum/src/components/SignUpModal.js
@@ -60,6 +60,10 @@ export default class SignUpModal extends Modal {
     ];
   }
 
+  fieldCantBeEdited(field) {
+    return this.props.identification_fields && this.props.identification_fields.indexOf(field) !== -1;
+  }
+
   body() {
     return [
       this.props.token ? '' : <LogInButtons/>,
@@ -69,14 +73,14 @@ export default class SignUpModal extends Modal {
           <input className="FormControl" name="username" type="text" placeholder={extractText(app.translator.trans('core.forum.sign_up.username_placeholder'))}
             value={this.username()}
             onchange={m.withAttr('value', this.username)}
-            disabled={this.loading} />
+            disabled={this.loading || this.fieldCantBeEdited('username')} />
         </div>
 
         <div className="Form-group">
           <input className="FormControl" name="email" type="email" placeholder={extractText(app.translator.trans('core.forum.sign_up.email_placeholder'))}
             value={this.email()}
             onchange={m.withAttr('value', this.email)}
-            disabled={this.loading || (this.props.token && this.props.email)} />
+            disabled={this.loading || this.fieldCantBeEdited('email')} />
         </div>
 
         {this.props.token ? '' : (
diff --git a/framework/core/src/Forum/AuthenticationResponseFactory.php b/framework/core/src/Forum/AuthenticationResponseFactory.php
index 17cc1497f..a705ab617 100644
--- a/framework/core/src/Forum/AuthenticationResponseFactory.php
+++ b/framework/core/src/Forum/AuthenticationResponseFactory.php
@@ -104,7 +104,14 @@ class AuthenticationResponseFactory
             $token = AuthToken::generate($identification);
             $token->save();
 
-            $payload = array_merge($identification, $suggestions, ['token' => $token->id]);
+            $payload = array_merge(
+                $identification,
+                $suggestions,
+                ['token' => $token->id],
+                // List of the fields that can't be edited during sign up
+                // Only includes attributes on the sign up form, otherwise this could leak private attribute names
+                ['identification_fields' => array_only(array_keys($identification), ['username', 'email'])]
+            );
         }
 
         return $payload;

From f076e1ac6eb32b13e7604029e4e46efefc3c55dc Mon Sep 17 00:00:00 2001
From: Clark Winkelmann <clark.winkelmann@gmail.com>
Date: Tue, 2 Jan 2018 00:27:13 +0100
Subject: [PATCH 2/3] Fix array_only usage

---
 framework/core/src/Forum/AuthenticationResponseFactory.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/framework/core/src/Forum/AuthenticationResponseFactory.php b/framework/core/src/Forum/AuthenticationResponseFactory.php
index a705ab617..c597d3c0d 100644
--- a/framework/core/src/Forum/AuthenticationResponseFactory.php
+++ b/framework/core/src/Forum/AuthenticationResponseFactory.php
@@ -110,7 +110,7 @@ class AuthenticationResponseFactory
                 ['token' => $token->id],
                 // List of the fields that can't be edited during sign up
                 // Only includes attributes on the sign up form, otherwise this could leak private attribute names
-                ['identification_fields' => array_only(array_keys($identification), ['username', 'email'])]
+                ['identification_fields' => array_keys(array_only($identification, ['username', 'email']))]
             );
         }
 

From 2797eaff9ad3f86e5e9b9d0ec1e5d1035d015853 Mon Sep 17 00:00:00 2001
From: Clark Winkelmann <clark.winkelmann@gmail.com>
Date: Thu, 11 Jan 2018 23:05:26 +0100
Subject: [PATCH 3/3] Rename method and attribute, and remove unnecessary
 attribute filtering

---
 framework/core/js/forum/src/components/SignUpModal.js     | 8 ++++----
 .../core/src/Forum/AuthenticationResponseFactory.php      | 3 +--
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/framework/core/js/forum/src/components/SignUpModal.js b/framework/core/js/forum/src/components/SignUpModal.js
index 3fda244da..fa96c80c0 100644
--- a/framework/core/js/forum/src/components/SignUpModal.js
+++ b/framework/core/js/forum/src/components/SignUpModal.js
@@ -60,8 +60,8 @@ export default class SignUpModal extends Modal {
     ];
   }
 
-  fieldCantBeEdited(field) {
-    return this.props.identification_fields && this.props.identification_fields.indexOf(field) !== -1;
+  isProvided(field) {
+    return this.props.identificationFields && this.props.identificationFields.indexOf(field) !== -1;
   }
 
   body() {
@@ -73,14 +73,14 @@ export default class SignUpModal extends Modal {
           <input className="FormControl" name="username" type="text" placeholder={extractText(app.translator.trans('core.forum.sign_up.username_placeholder'))}
             value={this.username()}
             onchange={m.withAttr('value', this.username)}
-            disabled={this.loading || this.fieldCantBeEdited('username')} />
+            disabled={this.loading || this.isProvided('username')} />
         </div>
 
         <div className="Form-group">
           <input className="FormControl" name="email" type="email" placeholder={extractText(app.translator.trans('core.forum.sign_up.email_placeholder'))}
             value={this.email()}
             onchange={m.withAttr('value', this.email)}
-            disabled={this.loading || this.fieldCantBeEdited('email')} />
+            disabled={this.loading || this.isProvided('email')} />
         </div>
 
         {this.props.token ? '' : (
diff --git a/framework/core/src/Forum/AuthenticationResponseFactory.php b/framework/core/src/Forum/AuthenticationResponseFactory.php
index fbd82c42e..6a17c8c2d 100644
--- a/framework/core/src/Forum/AuthenticationResponseFactory.php
+++ b/framework/core/src/Forum/AuthenticationResponseFactory.php
@@ -109,8 +109,7 @@ class AuthenticationResponseFactory
                 $suggestions,
                 ['token' => $token->id],
                 // List of the fields that can't be edited during sign up
-                // Only includes attributes on the sign up form, otherwise this could leak private attribute names
-                ['identification_fields' => array_keys(array_only($identification, ['username', 'email']))]
+                ['identificationFields' => array_keys($identification)]
             );
         }