diff --git a/js/forum/src/components/SignUpModal.js b/js/forum/src/components/SignUpModal.js
index ed0c1362e..3fda244da 100644
--- a/js/forum/src/components/SignUpModal.js
+++ b/js/forum/src/components/SignUpModal.js
@@ -60,6 +60,10 @@ export default class SignUpModal extends Modal {
];
}
+ fieldCantBeEdited(field) {
+ return this.props.identification_fields && this.props.identification_fields.indexOf(field) !== -1;
+ }
+
body() {
return [
this.props.token ? '' : ,
@@ -69,14 +73,14 @@ export default class SignUpModal extends Modal {
+ disabled={this.loading || this.fieldCantBeEdited('username')} />
+ disabled={this.loading || this.fieldCantBeEdited('email')} />
{this.props.token ? '' : (
diff --git a/src/Forum/AuthenticationResponseFactory.php b/src/Forum/AuthenticationResponseFactory.php
index 17cc1497f..a705ab617 100644
--- a/src/Forum/AuthenticationResponseFactory.php
+++ b/src/Forum/AuthenticationResponseFactory.php
@@ -104,7 +104,14 @@ class AuthenticationResponseFactory
$token = AuthToken::generate($identification);
$token->save();
- $payload = array_merge($identification, $suggestions, ['token' => $token->id]);
+ $payload = array_merge(
+ $identification,
+ $suggestions,
+ ['token' => $token->id],
+ // List of the fields that can't be edited during sign up
+ // Only includes attributes on the sign up form, otherwise this could leak private attribute names
+ ['identification_fields' => array_only(array_keys($identification), ['username', 'email'])]
+ );
}
return $payload;