FIX: prevent anonymous users from changing their email/username/name (PR #7311)

https://meta.discourse.org/t/suspect-account-anonymous-account/112813

GitHub

You’ve signed the CLA, majakomel. Thank you! This pull request is ready for review.

Should admin be able to edit usernames for anon users as well?

If the model is not anonymous, should we be able to update the associated accounts?

Non-anonymous users are able to update associated accounts if other conditions are met https://github.com/discourse/discourse/pull/7311/files#diff-4aba2c210bc3e273a9f57c8348785fd4R109

@SamSaffron, should admin still be able to edit email/username/name of anonymous users after the change?

I removed password and associated account from preferences and was thinking that it would make sense to disable editing of about/location/website/avatar as well to prevent anonymous account from being too personalized?

EDIT: Now that I think of it, either we need a migration that would “reset” anonymous users or allow admins to make changes…

ah icic. There are other conditions :+1:

I agree we should prevent any kind of customization for Anonymous users but still allow Admins to change anything they want.

@SamSaffron what do you think?

I think admins are fine to make changes here if they wish. I am merging this.