I tried denying changes to all but the password field, but when I make a password change drupal throws out a message...

    * An illegal choice has been detected. Please contact the site administrator.
    * Detected malicious attempt to alter protected user fields.

Any idea why?

Comments

deekayen’s picture

deekayen commented
Category: bug » support

Both those errors come from core Drupal.

The alter protected fields happens when:

  1. Someone without administer permissions on their role submits a modification to the roles on someones account.
  2. During registration if a user who is not an admin tries to submit invalid user options.
  3. During the user profile form validation in user_profile_form_validate() and user_edit_validate(). This last case is the only one that calls form_set_error() with that string where you would have been able to see the error. Seems to be triggered when the acting user doesn't have "administer users" or "administer permissions" permission, along with some other less likely cases.
kruser’s picture

kruser commented

Thanks for your reply.

It was definitely a combination of setting in the UserReadonly module triggering the error. After tampering with it I stumbled upon a combination of settings that worked...

To let the user to only edit the password:
1. admin/user/user_readonly, Default: allowed all and check all roles
2. admin/user/user_readonly, Account information » E-mail address: Deny changes to all but the administrator
3. admin/user/permissions, be sure 'administer permissions' and 'change own username' are unchecked for all but the administrator.

And that allowed authenticated users to only change passwords with no 'An illegal choice has been detected.' error.

Thanks.

kruser’s picture

kruser commented

In hind site, it seems like disallowing all by default, then enabling the individual fields is what triggers the error. When reversing the scenario, allowing all the fields by default, then disabling the individual fields that you don't want, works okay.

Bastlynn’s picture

Bastlynn commented
Status: Active » Closed (works as designed)

Since it looks like the problem is resolved and was related to configurations, I'm closing this ticket. If you *do* need this issue addressed further - please open another ticket. Keep in mind, we are generally trying to take any changes on the 7.x branch, not the 6.x branch.