Modify OctoberCMS Laravel Plugin to Disable Form Username Change


I'm using OctoberCMS based on Laravel with the official Users plugin.

How can I modify this plugin to Disable or Deny Username Change?

The form can easily be hacked to allow change.


Here is the file on GitHub I need to edit: Account.php

In the onUpdate() function, where it says $user->fill, it is saving all input fields.

I need to deny the username field in the function or with the validator.

public function onUpdate()
    if (!$user = $this->user()) {



I set Login attribute to Username.

Login Attribute

User Update Details

The User Update Page displays the form inputs a user can change:

Full Name is a column in the Database called surname that I don't use.
Username is the column username, the one I use, but it's not included on the default form.

account update

Though someone can add the username field in the browser just by inspect element, edit the HTML:

<div class="form-group">
    <label for="accountUsername">Username</label>
    <input name="username" type="text" id="accountUsername" value="Desired Username">

Submit and it will change the name and update the username column in the database.




You could extend the User model with something like this:

\RainLab\User\Models\User::extend(function($model) {

    $model->bindEvent('model.beforeUpdate', function() use ($model) {

        if ($model->isDirty('username')) {

            throw new \ValidationException(['username' => 'Sorry!...']);




The above code will have a global impact, if defined in a registration method, preventing the username from ever being changed. To restrict it only to the front-end, consider using an expression like if (!App::runningInBackend()) { /* ... */ }. Otherwise you could simply listen to the event on that page only, inside the onInit page code function.