Index: branches/5.2.x/core/units/users/users_event_handler.php
===================================================================
diff -u -N -r15027 -r15049
--- branches/5.2.x/core/units/users/users_event_handler.php	(.../users_event_handler.php)	(revision 15027)
+++ branches/5.2.x/core/units/users/users_event_handler.php	(.../users_event_handler.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: users_event_handler.php 15027 2012-01-10 10:10:05Z alex $
+* @version	$Id: users_event_handler.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -54,6 +54,22 @@
 		}
 
 		/**
+		 * Returns fields, that are not allowed to be changed from request
+		 *
+		 * @param Array $hash
+		 * @return Array
+		 * @access protected
+		 */
+		/*protected function getRequestProtectedFields($hash)
+		{
+			$fields = parent::getRequestProtectedFields($hash);
+
+			$fields[] = 'FirstName';
+
+			return $fields;
+		}*/
+
+		/**
 		 * Builds item (loads if needed)
 		 *
 		 * Pattern: Prototype Manager
@@ -263,7 +279,8 @@
 			$object =& $event->getObject( Array ('form_name' => 'login') );
 			/* @var $object kDBItem */
 
-			$object->SetFieldsFromHash( $this->getSubmittedFields($event) );
+			$field_values = $this->getSubmittedFields($event);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 			$username = $object->GetDBField('UserLogin');
 			$password = $object->GetDBField('UserPassword');
 			$remember_login = $object->GetDBField('UserRememberLogin') == 1;
@@ -410,7 +427,7 @@
 				$this->Application->SetVar($event->getPrefixSpecial(true), Array ($object->GetID() => $field_values));
 			}
 
-			$object->SetFieldsFromHash($field_values);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 			$status = $object->isLoaded() ? $object->Update() : $object->Create();
 
@@ -620,7 +637,8 @@
 			$object =& $event->getObject( Array ('form_name' => 'recommend') );
 			/* @var $object kDBItem */
 
-			$object->SetFieldsFromHash( $this->getSubmittedFields($event) );
+			$field_values = $this->getSubmittedFields($event);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 			if ( !$object->ValidateField('RecommendEmail') ) {
 				$event->status = kEvent::erFAIL;
@@ -666,7 +684,7 @@
 					$object->Load($id);
 				}
 
-				$object->SetFieldsFromHash($field_values);
+				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 				$object->setID($id);
 				$object->Validate();
 			}
@@ -689,7 +707,8 @@
 			$object =& $event->getObject( Array ('form_name' => 'subscription') );
 			/* @var $object UsersItem */
 
-			$object->SetFieldsFromHash( $this->getSubmittedFields($event) );
+			$field_values = $this->getSubmittedFields($event);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 			if ( !$object->ValidateField('SubscriberEmail') ) {
 				$event->status = kEvent::erFAIL;
@@ -822,7 +841,8 @@
 			$object =& $event->getObject( Array ('form_name' => 'forgot_password') );
 			/* @var $object kDBItem */
 
-			$object->SetFieldsFromHash( $this->getSubmittedFields($event) );
+			$field_values = $this->getSubmittedFields($event);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 			$user_object =& $this->Application->recallObject('u.tmp', null, Array('skip_autoload' => true));
 			/* @var $user_object UsersItem */
@@ -1064,14 +1084,14 @@
 		{
 			$event->redirect = false;
 			$item_info = $this->Application->GetVar( $event->getPrefixSpecial(true) );
-			list($id, $fields) = each($item_info);
+			list($id, $field_values) = each($item_info);
 
 			$object =& $event->getObject( Array ('skip_autoload' => true) );
 			/* @var $object kDBItem */
 
 			$object->setID($id);
 			$object->IgnoreValidation = true;
-			$object->SetFieldsFromHash($fields);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 		}
 
 		/**
@@ -1200,7 +1220,7 @@
 
 				$this->RemoveRequiredFields($object);
 				$object->SetDBField('RootPassword', $this->Application->ConfigValue('RootPass'));
-				$object->SetFieldsFromHash($field_values);
+				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 				$object->setID(-1);
 
 				if ( $object->Validate() ) {
@@ -1218,7 +1238,7 @@
 			}
 			else {
 				$object =& $event->getObject();
-				$object->SetFieldsFromHash($field_values);
+				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 				if ( !$object->Update() ) {
 					$event->status = kEvent::erFAIL;
Index: branches/5.2.x/core/units/languages/languages_event_handler.php
===================================================================
diff -u -N -r15012 -r15049
--- branches/5.2.x/core/units/languages/languages_event_handler.php	(.../languages_event_handler.php)	(revision 15012)
+++ branches/5.2.x/core/units/languages/languages_event_handler.php	(.../languages_event_handler.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: languages_event_handler.php 15012 2012-01-06 20:38:49Z alex $
+* @version	$Id: languages_event_handler.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -448,7 +448,7 @@
 				/* @var $object kDBItem */
 
 				$object->setID($id);
-				$object->SetFieldsFromHash($field_values);
+				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 				if (!$object->Validate()) {
 					$event->status = kEvent::erFAIL;
@@ -513,7 +513,7 @@
 				/* @var $object kDBItem */
 
 				$object->setID($id);
-				$object->SetFieldsFromHash($field_values);
+				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 				if (!$object->Validate()) {
 					$event->status = kEvent::erFAIL;
Index: branches/5.2.x/core/kernel/db/dbitem.php
===================================================================
diff -u -N -r14998 -r15049
--- branches/5.2.x/core/kernel/db/dbitem.php	(.../dbitem.php)	(revision 14998)
+++ branches/5.2.x/core/kernel/db/dbitem.php	(.../dbitem.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: dbitem.php 14998 2012-01-06 12:22:50Z alex $
+* @version	$Id: dbitem.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -290,16 +290,21 @@
 	 * of current item. If current item' fields are unknown {@link kDBItem::PrepareFields()} is called before actually setting the fields
 	 *
 	 * @param Array $hash
+	 * @param Array $skip_fields Optional param, field names in target object not to set, other fields will be set
 	 * @param Array $set_fields Optional param, field names in target object to set, other fields will be skipped
 	 * @return void
 	 * @access public
 	 */
-	public function SetFieldsFromHash($hash, $set_fields = Array ())
+	public function SetFieldsFromHash($hash, $skip_fields = Array (), $set_fields = Array ())
 	{
 		if ( !$set_fields ) {
 			$set_fields = array_keys($hash);
 		}
 
+		if ( $skip_fields ) {
+			$set_fields = array_diff($set_fields, $skip_fields);
+		}
+
 		$set_fields = array_intersect($set_fields, array_keys($this->Fields));
 
 		// used in formatter which work with multiple fields together
@@ -314,18 +319,23 @@
 	}
 
 	/**
-	 * Sets object fields from $hash arrat
+	 * Sets object fields from $hash array
 	 * @param Array $hash
+	 * @param Array|null $skip_fields
 	 * @param Array|null $set_fields
 	 * @return void
 	 * @access public
 	 */
-	public function SetDBFieldsFromHash($hash, $set_fields = Array ())
+	public function SetDBFieldsFromHash($hash, $skip_fields = Array (), $set_fields = Array ())
 	{
 		if ( !$set_fields ) {
 			$set_fields = array_keys($hash);
 		}
 
+		if ( $skip_fields ) {
+			$set_fields = array_diff($set_fields, $skip_fields);
+		}
+
 		$set_fields = array_intersect($set_fields, array_keys($this->Fields));
 
 		foreach ($set_fields as $field_name) {
Index: branches/5.2.x/core/units/images/image_tag_processor.php
===================================================================
diff -u -N -r14748 -r15049
--- branches/5.2.x/core/units/images/image_tag_processor.php	(.../image_tag_processor.php)	(revision 14748)
+++ branches/5.2.x/core/units/images/image_tag_processor.php	(.../image_tag_processor.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: image_tag_processor.php 14748 2011-11-09 09:35:48Z alex $
+* @version	$Id: image_tag_processor.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2011 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -158,7 +158,7 @@
 				$object->SetDBField('ThumbPath', $image_src);
 
 				if (!$object->isLoaded() && $image_src) {
-					// set fields for displaing new image during main item suggestion with errors
+					// set fields for displaying new image during main item suggestion with errors
 					$fields_hash = Array (
 						'Url' => '',
 						'ThumbUrl' => '',
Index: branches/5.2.x/core/units/forms/forms/forms_eh.php
===================================================================
diff -u -N -r14989 -r15049
--- branches/5.2.x/core/units/forms/forms/forms_eh.php	(.../forms_eh.php)	(revision 14989)
+++ branches/5.2.x/core/units/forms/forms/forms_eh.php	(.../forms_eh.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: forms_eh.php 14989 2012-01-04 16:24:42Z alex $
+* @version	$Id: forms_eh.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -227,7 +227,7 @@
 			}
 		}
 
-		$object->SetFieldsFromHash($field_values);
+		$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 		if ( $object->Validate() ) {
 			$event->redirect = $this->Application->GetVar('success_template');
Index: branches/5.2.x/core/units/forms/submission_log/submission_log_eh.php
===================================================================
diff -u -N -r14989 -r15049
--- branches/5.2.x/core/units/forms/submission_log/submission_log_eh.php	(.../submission_log_eh.php)	(revision 14989)
+++ branches/5.2.x/core/units/forms/submission_log/submission_log_eh.php	(.../submission_log_eh.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: submission_log_eh.php 14989 2012-01-04 16:24:42Z alex $
+* @version	$Id: submission_log_eh.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -602,7 +602,7 @@
 			if ($items_info) {
 				foreach ($items_info as $id => $field_values) {
 					$object->setID($id);
-	 				$object->SetFieldsFromHash($field_values);
+	 				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 	 				$load_keys = Array (
 	 					'FormSubmissionId' => $object->GetDBField('FormSubmissionId'),
@@ -645,7 +645,7 @@
 			if ($items_info) {
 				foreach ($items_info as $id => $field_values) {
 					$object->setID($id);
-	 				$object->SetFieldsFromHash($field_values);
+	 				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 	 				$load_keys = Array (
 	 					'FormSubmissionId' => $object->GetDBField('FormSubmissionId'),
@@ -682,7 +682,7 @@
 			if ($items_info) {
 				foreach ($items_info as $id => $field_values) {
 					$object->setID($id);
-	 				$object->SetFieldsFromHash($field_values);
+	 				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 					$object->SetDBField('DraftId', 0);
 
 	 				$load_keys = Array (
Index: branches/5.2.x/core/units/admin/admin_events_handler.php
===================================================================
diff -u -N -r15012 -r15049
--- branches/5.2.x/core/units/admin/admin_events_handler.php	(.../admin_events_handler.php)	(revision 15012)
+++ branches/5.2.x/core/units/admin/admin_events_handler.php	(.../admin_events_handler.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: admin_events_handler.php 15012 2012-01-06 20:38:49Z alex $
+* @version	$Id: admin_events_handler.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -630,7 +630,8 @@
 		$object =& $event->getObject(Array ('skip_autoload' => true));
 		/* @var $object kDBItem */
 
-		$object->SetFieldsFromHash( $this->getSubmittedFields($event) );
+		$field_values = $this->getSubmittedFields($event);
+		$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 		$event->redirect = false;
 		$result = 'required';
Index: branches/5.2.x/core/units/translator/translator_event_handler.php
===================================================================
diff -u -N -r14989 -r15049
--- branches/5.2.x/core/units/translator/translator_event_handler.php	(.../translator_event_handler.php)	(revision 14989)
+++ branches/5.2.x/core/units/translator/translator_event_handler.php	(.../translator_event_handler.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: translator_event_handler.php 14989 2012-01-04 16:24:42Z alex $
+* @version	$Id: translator_event_handler.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -142,7 +142,8 @@
 			$translator =& $event->getObject();
 			/* @var $translator kDBItem */
 
-			$translator->SetFieldsFromHash( $this->getSubmittedFields($event) );
+			$field_values = $this->getSubmittedFields($event);
+			$translator->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 			list($obj_prefix, $field) = $this->getPrefixAndField($event);
 
Index: branches/5.2.x/core/units/helpers/brackets_helper.php
===================================================================
diff -u -N -r14628 -r15049
--- branches/5.2.x/core/units/helpers/brackets_helper.php	(.../brackets_helper.php)	(revision 14628)
+++ branches/5.2.x/core/units/helpers/brackets_helper.php	(.../brackets_helper.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: brackets_helper.php 14628 2011-10-04 09:36:30Z alex $
+* @version	$Id: brackets_helper.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -268,7 +268,7 @@
 
 					if (in_array($item_id, $stored_ids)) { //if it's already exist
 						$object->Load($item_id);
-						$object->SetFieldsFromHash($values);
+						$object->SetFieldsFromHash($values/*, $this->getRequestProtectedFields($values)*/);
 						if (!$object->Validate()) {
 							unset($stored_ids[array_search($item_id, $stored_ids)]);
 							$event->redirect = false;
@@ -288,7 +288,7 @@
 					}
 					else {
 						$object->Clear();
-						$object->SetFieldsFromHash($values);
+						$object->SetFieldsFromHash($values/*, $this->getRequestProtectedFields($values)*/);
 						$object->SetDBField($linked_info['ForeignKey'], $linked_info['ParentId']);
 
 						if ($object->Create()) {
Index: branches/5.2.x/core/units/helpers/cat_dbitem_export_helper.php
===================================================================
diff -u -N -r15012 -r15049
--- branches/5.2.x/core/units/helpers/cat_dbitem_export_helper.php	(.../cat_dbitem_export_helper.php)	(revision 15012)
+++ branches/5.2.x/core/units/helpers/cat_dbitem_export_helper.php	(.../cat_dbitem_export_helper.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: cat_dbitem_export_helper.php 15012 2012-01-06 20:38:49Z alex $
+* @version	$Id: cat_dbitem_export_helper.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -1445,7 +1445,7 @@
 			$object =& $event->getObject(Array ('skip_autoload' => true));
 			/* @var $object kDBItem */
 
-			$object->SetFieldsFromHash($field_values);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 			$field_values['ImportFilename'] = $object->GetDBField('ImportFilename'); //if upload formatter has renamed the file during moving !!!
 
 			$object->setID($item_id);
Index: branches/5.2.x/core/units/content/content_eh.php
===================================================================
diff -u -N -r15042 -r15049
--- branches/5.2.x/core/units/content/content_eh.php	(.../content_eh.php)	(revision 15042)
+++ branches/5.2.x/core/units/content/content_eh.php	(.../content_eh.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: content_eh.php 15042 2012-01-16 09:14:58Z alex $
+* @version	$Id: content_eh.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -93,7 +93,7 @@
 			/* @var $revision kDBItem */
 
 			list (, $field_values) = each($items_info);
-			$object->SetFieldsFromHash($field_values);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 			$updated = $object->Update();
 
 			if ( $updated ) {
Index: branches/5.2.x/core/kernel/db/cat_event_handler.php
===================================================================
diff -u -N -r15045 -r15049
--- branches/5.2.x/core/kernel/db/cat_event_handler.php	(.../cat_event_handler.php)	(revision 15045)
+++ branches/5.2.x/core/kernel/db/cat_event_handler.php	(.../cat_event_handler.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: cat_event_handler.php 15045 2012-01-16 13:56:58Z alex $
+* @version	$Id: cat_event_handler.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -2104,7 +2104,7 @@
 			$object =& $event->getObject(Array ('skip_autoload' => true));
 			/* @var $object kDBItem */
 
-			$object->SetFieldsFromHash($field_values);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 			$field_values['ImportFilename'] = $object->GetDBField('ImportFilename'); //if upload formatter has renamed the file during moving !!!
 			$field_values['ImportSource'] = 2;
 			$field_values['ImportLocalFilename'] = $object->GetDBField('ImportFilename');
@@ -2484,7 +2484,7 @@
 						$cloned_ids = $temp_handler->CloneItems($event->Prefix, $event->Special, Array($original_id), null, null, null, true);
 
 						$object->Load($cloned_ids[0]);
-						$object->SetFieldsFromHash($field_values);
+						$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 						// 1a. delete record from CategoryItems (about cloned item) that was automatically created during call of Create method of kCatDBItem
 						$ci_table = $this->Application->getUnitOption('ci', 'TableName');
@@ -2505,15 +2505,15 @@
 					}
 					else {
 						// 2. user has pending copy of live item -> just update field values
-						$object->SetFieldsFromHash($field_values);
+						$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 					}
 
 					// update id in request (used for redirect in mod-rewrite mode)
 					$this->Application->SetVar($event->getPrefixSpecial().'_id', $object->GetID());
 				}
 				else {
 					// 3. already editing pending copy -> just update field values
-					$object->SetFieldsFromHash($field_values);
+					$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 				}
 
 				if ($object->Update()) {
Index: branches/5.2.x/core/units/selectors/selectors_event_handler.php
===================================================================
diff -u -N -r14989 -r15049
--- branches/5.2.x/core/units/selectors/selectors_event_handler.php	(.../selectors_event_handler.php)	(revision 14989)
+++ branches/5.2.x/core/units/selectors/selectors_event_handler.php	(.../selectors_event_handler.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: selectors_event_handler.php 14989 2012-01-04 16:24:42Z alex $
+* @version	$Id: selectors_event_handler.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -214,14 +214,14 @@
 						$object->Load($parent_id);
 					}
 
-					$object->SetFieldsFromHash($field_values);
+					$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 					$object->Create();
 
 					$this->Application->SetVar($event->getPrefixSpecial() . '_id', $object->GetID());
 				}
 				else {
 					$object->Load($id);
-					$object->SetFieldsFromHash($field_values);
+					$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 					$object->Update();
 				}
 			}
@@ -420,7 +420,8 @@
 			$object =& $event->getObject();
 			/* @var $object SelectorsItem */
 
-			$object->SetFieldsFromHash( $this->getSubmittedFields($event) );
+			$field_values = $this->getSubmittedFields($event);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 			$object->ResetStyle();
 
 			$event->SetRedirectParam('pass', 'all,' . $event->getPrefixSpecial());
Index: branches/5.2.x/core/kernel/db/db_event_handler.php
===================================================================
diff -u -N -r15045 -r15049
--- branches/5.2.x/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 15045)
+++ branches/5.2.x/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: db_event_handler.php 15045 2012-01-16 13:56:58Z alex $
+* @version	$Id: db_event_handler.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -402,6 +402,29 @@
 		}
 
 		/**
+		 * Returns fields, that are not allowed to be changed from request
+		 *
+		 * @param Array $hash
+		 * @return Array
+		 * @access protected
+		 */
+		protected function getRequestProtectedFields($hash)
+		{
+			// by default don't allow changing ID or foreign key from request
+			$fields = Array ();
+			$fields[] = $this->Application->getUnitOption($this->Prefix, 'IDField');
+
+			$parent_prefix = $this->Application->getUnitOption($this->Prefix, 'ParentPrefix');
+
+			if ( $parent_prefix ) {
+				$foreign_key = $this->Application->getUnitOption($this->Prefix, 'ForeignKey');
+				$fields[] = is_array($foreign_key) ? $foreign_key[$parent_prefix] : $foreign_key;
+			}
+
+			return $fields;
+		}
+
+		/**
 		 * Removes any information about current/selected ids
 		 * from Application variables and Session
 		 *
@@ -1514,7 +1537,7 @@
 			$items_info = $this->Application->GetVar( $event->getPrefixSpecial(true) );
 			if ($items_info) {
 				list($id,$field_values) = each($items_info);
-				$object->SetFieldsFromHash($field_values);
+				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 			}
 
 			$this->customProcessing($event,'before');
@@ -1569,7 +1592,7 @@
 			if ( $items_info ) {
 				foreach ($items_info as $id => $field_values) {
 					$object->Load($id);
-					$object->SetFieldsFromHash($field_values);
+					$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 					$this->customProcessing($event, 'before');
 
 					if ( $object->Update($id) ) {
@@ -2091,7 +2114,8 @@
 			$object =& $event->getObject( Array('skip_autoload' => true) );
 			/* @var $object kDBItem */
 
-			$object->SetFieldsFromHash( $this->getSubmittedFields($event) );
+			$field_values = $this->getSubmittedFields($event);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 			$this->customProcessing($event, 'before');
 
@@ -3152,7 +3176,7 @@
 
 			list ($id, $field_values) = each($items_info);
 			$object->Load($id);
-			$object->SetFieldsFromHash($field_values);
+			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 			$object->setID($id);
 
 			$response = Array ('status' => 'OK');
Index: branches/5.2.x/core/units/theme_files/theme_file_eh.php
===================================================================
diff -u -N -r14989 -r15049
--- branches/5.2.x/core/units/theme_files/theme_file_eh.php	(.../theme_file_eh.php)	(revision 14989)
+++ branches/5.2.x/core/units/theme_files/theme_file_eh.php	(.../theme_file_eh.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: theme_file_eh.php 14989 2012-01-04 16:24:42Z alex $
+* @version	$Id: theme_file_eh.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -183,7 +183,7 @@
 			$items_info = $this->Application->GetVar( $event->getPrefixSpecial(true) );
 			if ($items_info) {
 				list ($id, $field_values) = each($items_info);
-				$object->SetFieldsFromHash($field_values);
+				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 				$object->setID($id);
 			}
 
Index: branches/5.2.x/core/units/configuration/configuration_event_handler.php
===================================================================
diff -u -N -r14989 -r15049
--- branches/5.2.x/core/units/configuration/configuration_event_handler.php	(.../configuration_event_handler.php)	(revision 14989)
+++ branches/5.2.x/core/units/configuration/configuration_event_handler.php	(.../configuration_event_handler.php)	(revision 15049)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: configuration_event_handler.php 14989 2012-01-04 16:24:42Z alex $
+* @version	$Id: configuration_event_handler.php 15049 2012-01-16 15:22:04Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -261,7 +261,7 @@
 				foreach ($items_info as $id => $field_values) {
 					$object->Clear(); // clear validation errors from previous variable
 					$object->Load($id);
-					$object->SetFieldsFromHash($field_values);
+					$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
 					if ( !$object->Update($id) ) {
 						// don't stop when error found !