Add some security

apps/member/forms.py

@@ -44,7 +44,7 @@ class ProfileForm(forms.ModelForm):
     """
     A form for the extras field provided by the :model:`member.Profile` model.
     """
-    # Remove widget=forms.HiddenInput() if you want to use report frequency.
+
     report_frequency = forms.IntegerField(required=False, initial=0, label=_("Statement frequency (in days)"))
 
     last_report = forms.DateTimeField(required=False, disabled=True, label=_("Last statement date"))
@@ -66,6 +66,14 @@ class ProfileForm(forms.ModelForm):
         super().__init__(*args, **kwargs)
         self.fields['address'].widget.attrs.update({"placeholder": "4 avenue des Sciences, 91190 GIF-SUR-YVETTE"})
         self.fields['promotion'].widget.attrs.update({"max": timezone.now().year})
+    
+    def clean(self):
+        """Force the values of fields that the user does not have permission to modify.."""
+        cleaned_data = super().clean()
+        for field_name in self.fields.keys():
+            if not PermissionBackend.check_perm(self.request, f"member.change_profile_{field_name}", self.instance):
+                cleaned_data[field_name] = getattr(self.instance, field_name)  # Force the old value
+        return cleaned_data
 
     @transaction.atomic
     def save(self, commit=True):