From 0ec771b5ee9764b7fef29f2f26b1508d876fddd5 Mon Sep 17 00:00:00 2001
From: thomasl <thomasl@crans.org>
Date: Thu, 13 Feb 2025 00:39:05 +0100
Subject: [PATCH] Add some security

---
 apps/member/forms.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/apps/member/forms.py b/apps/member/forms.py
index 55fc0eab..5c58b190 100644
--- a/apps/member/forms.py
+++ b/apps/member/forms.py
@@ -44,7 +44,7 @@ class ProfileForm(forms.ModelForm):
     """
     A form for the extras field provided by the :model:`member.Profile` model.
     """
-    # Remove widget=forms.HiddenInput() if you want to use report frequency.
+
     report_frequency = forms.IntegerField(required=False, initial=0, label=_("Statement frequency (in days)"))
 
     last_report = forms.DateTimeField(required=False, disabled=True, label=_("Last statement date"))
@@ -66,6 +66,14 @@ class ProfileForm(forms.ModelForm):
         super().__init__(*args, **kwargs)
         self.fields['address'].widget.attrs.update({"placeholder": "4 avenue des Sciences, 91190 GIF-SUR-YVETTE"})
         self.fields['promotion'].widget.attrs.update({"max": timezone.now().year})
+    
+    def clean(self):
+        """Force the values of fields that the user does not have permission to modify.."""
+        cleaned_data = super().clean()
+        for field_name in self.fields.keys():
+            if not PermissionBackend.check_perm(self.request, f"member.change_profile_{field_name}", self.instance):
+                cleaned_data[field_name] = getattr(self.instance, field_name)  # Force the old value
+        return cleaned_data
 
     @transaction.atomic
     def save(self, commit=True):