Index: trunk/core/units/users/users_event_handler.php
===================================================================
diff -u -N -r4651 -r4730
--- trunk/core/units/users/users_event_handler.php	(.../users_event_handler.php)	(revision 4651)
+++ trunk/core/units/users/users_event_handler.php	(.../users_event_handler.php)	(revision 4730)
@@ -3,6 +3,29 @@
 	class UsersEventHandler extends InpDBEventHandler
 	{
 		/**
+		 * Allows to override standart permission mapping
+		 *
+		 */
+		function mapPermissions()
+		{
+			parent::mapPermissions();
+			$permissions = Array(
+									// front
+									'OnRefreshForm'				=>	Array('self' => true),
+																		
+									'OnForgotPassword'			=>	Array('self' => true),
+									'OnResetPassword'			=>	Array('self' => true),
+									'OnResetPasswordConfirmed'	=>	Array('self' => true),
+									
+									'OnSubscribeQuery'			=>	Array('self' => true),
+									'OnSubscribeUser'			=>	Array('self' => true),
+									
+									'OnRecommend'				=>	Array('self' => true),
+							);
+			$this->permMapping = array_merge($this->permMapping, $permissions);
+		}
+		
+		/**
 		 * Checks permissions of user
 		 *
 		 * @param kEvent $event
@@ -14,9 +37,43 @@
 				return true;
 			}
 			
-			if ($event->Name == 'OnSetPersistantVariable') {
-				// only logged in users have persistant variables
-				return $this->Application->GetVar('u_id') > 0;
+			if (!$this->Application->IsAdmin()) {
+				$user_id = $this->Application->GetVar('u_id');
+				$items_info = $this->Application->GetVar($event->getPrefixSpecial(true));
+				
+				if ($event->Name == 'OnCreate' && $user_id == -2) {
+					// "Guest" can create new users
+					return true;
+				}
+				
+				if ($event->Name == 'OnUpdate' && $user_id > 0) {
+					$user_dummy =& $this->Application->recallObject($event->Prefix.'.-item', null, Array('skip_autoload' => true));
+					foreach ($items_info as $id => $field_values) {
+						if ($id != $user_id) {
+							// registered users can update their record only
+							return false;
+						}
+						
+						$user_dummy->Load($id);
+						$status_field = array_shift($this->Application->getUnitOption($event->Prefix, 'StatusField'));
+						
+						if ($user_dummy->GetDBField($status_field) != STATUS_ACTIVE) {
+							// not active user is not allowed to update his record (he could not activate himself manually)
+							return false;
+						}
+						
+						if (isset($field_values[$status_field]) && $user_dummy->GetDBField($status_field) != $field_values[$status_field]) {
+							// user can't change status by himself
+							return false;
+						}
+					}
+					return true;
+				}
+				
+				if ($event->Name == 'OnUpdate' && $user_id <= 0) {
+					// guests are not allowed to update their record, because they don't have it :)
+					return false;
+				}
 			}
 			
 			return parent::CheckPermission($event);