From fa9d89d690ca0ed90798e896360ced96f6bdb21c Mon Sep 17 00:00:00 2001
From: Clark Winkelmann <clark.winkelmann@gmail.com>
Date: Tue, 2 Jan 2018 00:13:33 +0100
Subject: [PATCH] Prevent editing fields in sign up modal according to
 identification data

---
 js/forum/src/components/SignUpModal.js      | 8 ++++++--
 src/Forum/AuthenticationResponseFactory.php | 9 ++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/js/forum/src/components/SignUpModal.js b/js/forum/src/components/SignUpModal.js
index ed0c1362e..3fda244da 100644
--- a/js/forum/src/components/SignUpModal.js
+++ b/js/forum/src/components/SignUpModal.js
@@ -60,6 +60,10 @@ export default class SignUpModal extends Modal {
     ];
   }
 
+  fieldCantBeEdited(field) {
+    return this.props.identification_fields && this.props.identification_fields.indexOf(field) !== -1;
+  }
+
   body() {
     return [
       this.props.token ? '' : <LogInButtons/>,
@@ -69,14 +73,14 @@ export default class SignUpModal extends Modal {
           <input className="FormControl" name="username" type="text" placeholder={extractText(app.translator.trans('core.forum.sign_up.username_placeholder'))}
             value={this.username()}
             onchange={m.withAttr('value', this.username)}
-            disabled={this.loading} />
+            disabled={this.loading || this.fieldCantBeEdited('username')} />
         </div>
 
         <div className="Form-group">
           <input className="FormControl" name="email" type="email" placeholder={extractText(app.translator.trans('core.forum.sign_up.email_placeholder'))}
             value={this.email()}
             onchange={m.withAttr('value', this.email)}
-            disabled={this.loading || (this.props.token && this.props.email)} />
+            disabled={this.loading || this.fieldCantBeEdited('email')} />
         </div>
 
         {this.props.token ? '' : (
diff --git a/src/Forum/AuthenticationResponseFactory.php b/src/Forum/AuthenticationResponseFactory.php
index 17cc1497f..a705ab617 100644
--- a/src/Forum/AuthenticationResponseFactory.php
+++ b/src/Forum/AuthenticationResponseFactory.php
@@ -104,7 +104,14 @@ class AuthenticationResponseFactory
             $token = AuthToken::generate($identification);
             $token->save();
 
-            $payload = array_merge($identification, $suggestions, ['token' => $token->id]);
+            $payload = array_merge(
+                $identification,
+                $suggestions,
+                ['token' => $token->id],
+                // List of the fields that can't be edited during sign up
+                // Only includes attributes on the sign up form, otherwise this could leak private attribute names
+                ['identification_fields' => array_only(array_keys($identification), ['username', 'email'])]
+            );
         }
 
         return $payload;