Skip to content

Commit 28ba97c

Browse files
alfredangclaude
andcommitted
Fix profile fields save: use direct SQL to bypass model whitelist
Magento's admin/user model _beforeSave() only persists a whitelist of fields (firstname, lastname, email, password, etc.). Custom columns (tel, gender, race, dob, nric_fin, linkedin_url, profile_image) are now saved via direct SQL UPDATE after the model save. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent b973b9d commit 28ba97c

2 files changed

Lines changed: 21 additions & 5 deletions

File tree

app/code/local/MMD/Adminhtml/controllers/System/AccountController.php

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,13 @@ public function saveAction()
1818
->setLastname($this->getRequest()->getParam('lastname', false))
1919
->setEmail(strtolower($this->getRequest()->getParam('email', false)));
2020

21-
// Profile fields
21+
// Profile fields — saved directly via SQL since core model
22+
// _beforeSave() only persists a whitelist of fields
23+
$profileData = array();
2224
$profileFields = array('tel', 'gender', 'race', 'dob', 'nric_fin', 'linkedin_url');
2325
foreach ($profileFields as $field) {
2426
$value = $this->getRequest()->getParam($field, null);
25-
$user->setData($field, $value ?: null);
27+
$profileData[$field] = ($value !== '' && $value !== null) ? $value : null;
2628
}
2729

2830
// Profile image upload
@@ -38,15 +40,19 @@ public function saveAction()
3840
$uploader->save($path, $filename);
3941

4042
// Delete old image
41-
$oldImage = $user->getData('profile_image');
43+
$resource = Mage::getSingleton('core/resource');
44+
$oldImage = $resource->getConnection('core_read')->fetchOne(
45+
'SELECT profile_image FROM ' . $resource->getTableName('admin/user') . ' WHERE user_id = ?',
46+
array($userId)
47+
);
4248
if ($oldImage) {
4349
$oldPath = $path . DS . $oldImage;
4450
if (file_exists($oldPath)) {
4551
@unlink($oldPath);
4652
}
4753
}
4854

49-
$user->setData('profile_image', $filename);
55+
$profileData['profile_image'] = $filename;
5056
} catch (Exception $e) {
5157
Mage::getSingleton('adminhtml/session')->addError('Image upload failed: ' . $e->getMessage());
5258
}
@@ -71,6 +77,16 @@ public function saveAction()
7177

7278
try {
7379
$user->save();
80+
81+
// Save profile fields directly (bypasses model whitelist)
82+
$resource = Mage::getSingleton('core/resource');
83+
$write = $resource->getConnection('core_write');
84+
$write->update(
85+
$resource->getTableName('admin/user'),
86+
$profileData,
87+
'user_id = ' . (int)$userId
88+
);
89+
7490
Mage::getSingleton('adminhtml/session')->addSuccess(
7591
Mage::helper('adminhtml')->__('The account has been saved.')
7692
);

commit-version.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
15-04-2026 02:12
1+
15-04-2026 02:22

0 commit comments

Comments
 (0)