Merge pull request #362 from hannes2000/protected_user_fields

Protect user fields from being overwritten

README.rst

@@ -280,6 +280,12 @@ Configuration
   Also more extra values will be stored if defined, details about this setting
   are listed below on OpenId and OAuth sections.
 
+- The update_user_details pipeline processor will set certain fields on user
+  objects, such as ``email``. Set this to a list of fields you only want to 
+  set for newly created users:
+
+    SOCIAL_AUTH_PROTECTED_USER_FIELDS = ['email',]
+
   Session expiration time is an special value, it's recommended to define::
 
     SOCIAL_AUTH_EXPIRATION = 'expires'

doc/configuration.rst

@@ -165,6 +165,12 @@ Configuration
 
     SOCIAL_AUTH_EXTRA_DATA = False
 
+- The update_user_details pipeline processor will set certain fields on user
+  objects, such as ``email``. Set this to a list of fields you only want to
+  set for newly created users:
+
+    SOCIAL_AUTH_PROTECTED_USER_FIELDS = ['email',]
+
   Also more extra values will be stored if defined, details about this setting
   are listed below on OpenId and OAuth sections.
 

social_auth/backends/pipeline/user.py

@@ -91,7 +91,9 @@ def update_user_details(backend, details, response, user, is_new=False, *args,
     if not setting('SOCIAL_AUTH_CHANGE_SIGNAL_ONLY'):
         for name, value in details.iteritems():
             # do not update username, it was already generated
-            if name in (USERNAME, 'id', 'pk'):
+            # do not update configured fields if user already existed
+            if name in (USERNAME, 'id', 'pk') or (not is_new and
+                name in setting('SOCIAL_AUTH_PROTECTED_USER_FIELDS', [])):
                 continue
             if value and value != getattr(user, name, None):
                 setattr(user, name, value)