Merge pull request #118 from MagnusSamuelsson/fix/validations-in-update_user

dmitriim · web-flow · commit 16a9f5fec447 · 2025-12-23T10:21:56.000+11:00
Only validate changed user fields when provided
diff --git a/auth.php b/auth.php
@@ -340,18 +340,27 @@ protected function update_user(\stdClass $user, array $data) {
         }
 
         if (
+            isset($userdata['username'])
+            &&
             $user->username != $userdata['username']
             &&
             $DB->record_exists('user', ['username' => $userdata['username'], 'mnethostid' => $CFG->mnet_localhost_id])
         ) {
             throw new invalid_parameter_exception('Username already exists: ' . $userdata['username']);
         }
-        if (!validate_email($userdata['email'])) {
+
+        $emailchangerequested = isset($userdata['email']) && $user->email != $userdata['email'];
+
+        if (
+            $emailchangerequested
+            &&
+            !validate_email($userdata['email'])
+        ) {
             throw new invalid_parameter_exception('Email address is invalid: ' . $userdata['email']);
         } else if (
-            empty($CFG->allowaccountssameemail)
+            $emailchangerequested
             &&
-            $user->email != $userdata['email']
+            empty($CFG->allowaccountssameemail)
             &&
             $DB->record_exists('user', ['email' => $userdata['email'], 'mnethostid' => $CFG->mnet_localhost_id])
         ) {
diff --git a/tests/auth_plugin_test.php b/tests/auth_plugin_test.php
@@ -547,6 +547,41 @@ public function test_update_refuse_duplicate_username(): void {
         $this->auth->get_login_url($originaluser);
     }
 
+    /**
+     * Test that a user can be updated without providing any other fields than the mappingfield.
+     * (Only auth field should be updated).
+     */
+    public function test_update_allow_unset_fields(): void {
+        global $DB;
+        set_config('updateuser', true, 'auth_userkey');
+        set_config('mappingfield', 'id', 'auth_userkey');
+        $this->auth = new auth_plugin_userkey();
+
+        $userkeymanager = new fake_userkey_manager();
+        $this->auth->set_userkey_manager($userkeymanager);
+
+        $originaluser = new stdClass();
+        $originaluser->username = 'username';
+        $originaluser->email = 'username@test.com';
+        $originaluser->firstname = 'user';
+        $originaluser->lastname = 'name';
+
+        $user = self::getDataGenerator()->create_user($originaluser);
+
+        $loginuser = new stdClass();
+        $loginuser->id = $user->id;
+
+        $key = $this->auth->get_login_url($loginuser);
+
+        $userrecord = $DB->get_record('user', ['id' => $user->id]);
+        $this->assertNotEmpty($key);
+        $this->assertEquals('userkey', $userrecord->auth);
+        $this->assertEquals('username', $userrecord->username);
+        $this->assertEquals('username@test.com', $userrecord->email);
+        $this->assertEquals('user', $userrecord->firstname);
+        $this->assertEquals('name', $userrecord->lastname);
+    }
+
     /**
      * Test that we can get login url if we do not use fake keymanager.
      */
