From 05f1a5e961283d01ed053a3023b19955766747e3 Mon Sep 17 00:00:00 2001
From: "J.-S. Caux" <J.S.Caux@uva.nl>
Date: Tue, 24 Jan 2017 19:02:25 +0100
Subject: [PATCH] Prevent exploits via self-changed surname

---
 scipost/views.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scipost/views.py b/scipost/views.py
index 687dcd50e..4af50e1ab 100644
--- a/scipost/views.py
+++ b/scipost/views.py
@@ -1120,6 +1120,9 @@ def update_personal_data(request):
             return render(request, 'scipost/acknowledgement.html', context)
     else:
         user_form = UpdateUserDataForm(instance=contributor.user)
+        # Prevent exploit of gaining view on self-authored submissions by changing surname.
+        user_form.fields['last_name'].widget.attrs['disabled'] = True
+        # Surname can only be changed through the admin.
         cont_form = UpdatePersonalDataForm(instance=contributor)
     return render(request, 'scipost/update_personal_data.html',
                   {'user_form': user_form, 'cont_form': cont_form})
-- 
GitLab