Well, Not saying this is the way to do it, but what I would do is edit the associated role and add a policy that only allows the user read access to any user objects where they are the owner, e.g. their user object.
I think, however, that will disable their ability to change their own password.
You could also change the user/edit template so they can only change what you want them to change...???
... but what I would do is edit the associated role and add a policy that only allows the user read access to any user objects where they are the owner, e.g. their user object....
...
You could also change the user/edit template so they can only change what you want them to change...???
-tom
I would block some attributes of the user own object, like hit counter, rating, and others... so, even he is the owner of the object, I wouldn't allow him to edit all the fields. If I modify the edit template it is not secure because the user could use firebug and add/modify fields... I had this problem some time ago, the user edited some hidden fields with firebug, then he used firebug to create the fields I removed from editing template and I got some problems. The best solution would be to control the user allowed editing attributes to some groups.
Unfortunately, it is not (yet) possible to apply security policies at the attribute level. A hack does exist, but maybe you should wait a little as this feature has been waited for a long time and is claimed for Fuji next release (see features requests and ideas).