Index: branches/5.2.x/core/kernel/db/dbitem.php
===================================================================
diff -u -N -r16001 -r16016
--- branches/5.2.x/core/kernel/db/dbitem.php	(.../dbitem.php)	(revision 16001)
+++ branches/5.2.x/core/kernel/db/dbitem.php	(.../dbitem.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: dbitem.php 16001 2013-12-02 14:45:25Z alex $
+* @version	$Id: dbitem.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -285,22 +285,22 @@
 
 	/**
 	 * Sets item' fields corresponding to elements in passed $hash values.
-	 *
 	 * The function sets current item fields to values passed in $hash, by matching $hash keys with field names
 	 * of current item. If current item' fields are unknown {@link kDBItem::PrepareFields()} is called before actually setting the fields
 	 *
-	 * @param Array $hash
-	 * @param Array $skip_fields Optional param, field names in target object not to set, other fields will be set
+	 * @param Array $hash       Fields hash.
 	 * @param Array $set_fields Optional param, field names in target object to set, other fields will be skipped
+	 *
 	 * @return void
-	 * @access public
 	 */
-	public function SetFieldsFromHash($hash, $skip_fields = Array (), $set_fields = Array ())
+	public function SetFieldsFromHash($hash, $set_fields = Array ())
 	{
 		if ( !$set_fields ) {
 			$set_fields = array_keys($hash);
 		}
 
+		$skip_fields = $this->getRequestProtectedFields($hash);
+
 		if ( $skip_fields ) {
 			$set_fields = array_diff($set_fields, $skip_fields);
 		}
@@ -319,23 +319,42 @@
 	}
 
 	/**
+	 * Returns fields, that are not allowed to be changed from request.
+	 *
+	 * @param array $fields_hash Fields hash.
+	 *
+	 * @return array
+	 */
+	protected function getRequestProtectedFields(array $fields_hash)
+	{
+		// don't allow changing ID
+		$fields = Array ();
+		$fields[] = $this->Application->getUnitOption($this->Prefix, 'IDField');
+
+		$parent_prefix = $this->Application->getUnitOption($this->Prefix, 'ParentPrefix');
+
+		if ( $parent_prefix && $this->isLoaded() && !$this->Application->isAdmin ) {
+			// don't allow changing foreign key of existing item from request
+			$foreign_key = $this->Application->getUnitOption($this->Prefix, 'ForeignKey');
+			$fields[] = is_array($foreign_key) ? $foreign_key[$parent_prefix] : $foreign_key;
+		}
+
+		return $fields;
+	}
+
+	/**
 	 * Sets object fields from $hash array
 	 * @param Array $hash
-	 * @param Array|null $skip_fields
 	 * @param Array|null $set_fields
 	 * @return void
 	 * @access public
 	 */
-	public function SetDBFieldsFromHash($hash, $skip_fields = Array (), $set_fields = Array ())
+	public function SetDBFieldsFromHash($hash, $set_fields = Array ())
 	{
 		if ( !$set_fields ) {
 			$set_fields = array_keys($hash);
 		}
 
-		if ( $skip_fields ) {
-			$set_fields = array_diff($set_fields, $skip_fields);
-		}
-
 		$set_fields = array_intersect($set_fields, array_keys($this->Fields));
 
 		foreach ($set_fields as $field_name) {
@@ -1575,4 +1594,4 @@
 		return array_shift($status_fields);
 	}
 
-}
\ No newline at end of file
+}