From f4a75f4ef65aa5781a5d187c74176eace4177e9a Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Mon, 24 Mar 2014 11:57:53 -0500
Subject: [PATCH] Email cannot be changed on client registration

Otherwise, it might be possible for a forwarded email to accidentally
contain a ticket link, with which a sinister individual might be able to use
to register for account on behalf of the original client, and, at the same
time, be able to change the user's email address to his/her own.
---
 account.php                     |  1 +
 include/class.dynamic_forms.php |  4 ++--
 include/class.forms.php         | 11 +++++++++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/account.php b/account.php
index 2e081c735..41c5a482f 100644
--- a/account.php
+++ b/account.php
@@ -32,6 +32,7 @@ elseif ($thisclient) {
         foreach ($thisclient->getForms() as $f)
             if ($f->get('type') == 'U')
                 $user_form = $f;
+        $user_form->getField('email')->configure('disabled', true);
     }
     // Existing client (with an account) updating profile
     else {
diff --git a/include/class.dynamic_forms.php b/include/class.dynamic_forms.php
index 8c78c09b0..01682d00c 100644
--- a/include/class.dynamic_forms.php
+++ b/include/class.dynamic_forms.php
@@ -73,9 +73,9 @@ class DynamicForm extends VerySimpleModel {
     }
 
     function getField($name) {
-        foreach ($this->getDynamicFields() as $f)
+        foreach ($this->getFields() as $f)
             if (!strcasecmp($f->get('name'), $name))
-                return $f->getImpl();
+                return $f;
     }
 
     function hasField($name) {
diff --git a/include/class.forms.php b/include/class.forms.php
index 2bbb04a66..7a43ddd96 100644
--- a/include/class.forms.php
+++ b/include/class.forms.php
@@ -478,6 +478,11 @@ class FormField {
         return $this->_cform;
     }
 
+    function configure($prop, $value) {
+        $this->getConfiguration();
+        $this->_config[$prop] = $value;
+    }
+
     function getWidget() {
         if (!static::$widget)
             throw new Exception('Widget not defined for this field');
@@ -960,12 +965,14 @@ class TextboxWidget extends Widget {
             $classes = 'class="'.$config['classes'].'"';
         if (isset($config['autocomplete']))
             $autocomplete = 'autocomplete="'.($config['autocomplete']?'on':'off').'"';
+        if (isset($config['disabled']))
+            $disabled = 'disabled="disabled"';
         ?>
         <span style="display:inline-block">
         <input type="<?php echo static::$input_type; ?>"
             id="<?php echo $this->name; ?>"
-            <?php echo $size . " " . $maxlength; ?>
-            <?php echo $classes.' '.$autocomplete
+            <?php echo implode(' ', array_filter(array(
+                $size, $maxlength, $classes, $autocomplete, $disabled)))
                 .' placeholder="'.$config['placeholder'].'"'; ?>
             name="<?php echo $this->name; ?>"
             value="<?php echo Format::htmlchars($this->value); ?>"/>
-- 
GitLab