Index: branches/5.2.x/core/units/users/users_item.php
===================================================================
diff -u -N -r15608 -r16016
--- branches/5.2.x/core/units/users/users_item.php	(.../users_item.php)	(revision 15608)
+++ branches/5.2.x/core/units/users/users_item.php	(.../users_item.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: users_item.php 15608 2012-11-06 17:21:28Z alex $
+* @version	$Id: users_item.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -195,4 +195,24 @@
 
 			return $password;
 		}
-	}
\ No newline at end of file
+
+		/**
+		 * Returns fields, that are not allowed to be changed from request.
+		 *
+		 * @param array $fields_hash Fields hash.
+		 *
+		 * @return array
+		 */
+		protected function getRequestProtectedFields(array $fields_hash)
+		{
+			$fields = parent::getRequestProtectedFields($fields_hash);
+
+			$fields = array_merge($fields, Array ('PrevEmails', 'ResourceId', 'IPAddress', 'IsBanned', 'PwResetConfirm', 'PwRequestTime', 'OldStyleLogin'));
+
+			if ( !$this->Application->isAdmin ) {
+				$fields = array_merge($fields, Array ('UserType', 'Status', 'EmailVerified', 'IsBanned'));
+			}
+
+			return $fields;
+		}
+	}
Index: branches/5.2.x/core/units/forms/forms/forms_eh.php
===================================================================
diff -u -N -r15781 -r16016
--- branches/5.2.x/core/units/forms/forms/forms_eh.php	(.../forms_eh.php)	(revision 15781)
+++ branches/5.2.x/core/units/forms/forms/forms_eh.php	(.../forms_eh.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: forms_eh.php 15781 2013-05-25 12:51:27Z alex $
+* @version	$Id: forms_eh.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -226,7 +226,7 @@
 			}
 		}
 
-		$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+		$object->SetFieldsFromHash($field_values);
 		$event->setEventParam('form_data', $field_values);
 
 		if ( $object->Validate() ) {
@@ -624,4 +624,4 @@
 
 		return $reply->Create();
 	}
-}
\ No newline at end of file
+}
Index: branches/5.2.x/core/units/theme_files/theme_file_eh.php
===================================================================
diff -u -N -r15145 -r16016
--- branches/5.2.x/core/units/theme_files/theme_file_eh.php	(.../theme_file_eh.php)	(revision 15145)
+++ branches/5.2.x/core/units/theme_files/theme_file_eh.php	(.../theme_file_eh.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: theme_file_eh.php 15145 2012-03-04 09:04:08Z alex $
+* @version	$Id: theme_file_eh.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -185,8 +185,9 @@
 			$items_info = $this->Application->GetVar( $event->getPrefixSpecial(true) );
 			if ($items_info) {
 				list ($id, $field_values) = each($items_info);
-				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 				$object->setID($id);
+				$object->SetFieldsFromHash($field_values);
+				$event->setEventParam('form_data', $field_values);
 			}
 
 			$status = $object->Validate();
@@ -230,4 +231,4 @@
 
 			echo 'FAILED';
 		}
-	}
\ No newline at end of file
+	}
Index: branches/5.2.x/core/units/images/image_tag_processor.php
===================================================================
diff -u -N -r15856 -r16016
--- branches/5.2.x/core/units/images/image_tag_processor.php	(.../image_tag_processor.php)	(revision 15856)
+++ branches/5.2.x/core/units/images/image_tag_processor.php	(.../image_tag_processor.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: image_tag_processor.php 15856 2013-07-02 14:56:00Z alex $
+* @version	$Id: image_tag_processor.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2011 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -114,7 +114,7 @@
 			else {
 				$object->SetDBField('Url', $parent_item->GetDBField('FullUrl'));
 
-				$object->SetDBFieldsFromHash($parent_item->GetFieldValues(), null, Array('AltName', 'SameImages', 'LocalThumb', 'ThumbPath', 'ThumbUrl', 'LocalImage', 'LocalPath'));
+				$object->SetDBFieldsFromHash($parent_item->GetFieldValues(), Array('AltName', 'SameImages', 'LocalThumb', 'ThumbPath', 'ThumbUrl', 'LocalImage', 'LocalPath'));
 
 				if (!$object->GetDBField('AltName')) {
 					$object->SetDBField('AltName', $this->getItemTitle($parent_item));
@@ -500,4 +500,4 @@
 
 		return parent::SaveWarning($params);
 	}
-}
\ No newline at end of file
+}
Index: branches/5.2.x/core/units/configuration/configuration_event_handler.php
===================================================================
diff -u -N -r15856 -r16016
--- branches/5.2.x/core/units/configuration/configuration_event_handler.php	(.../configuration_event_handler.php)	(revision 15856)
+++ branches/5.2.x/core/units/configuration/configuration_event_handler.php	(.../configuration_event_handler.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: configuration_event_handler.php 15856 2013-07-02 14:56:00Z alex $
+* @version	$Id: configuration_event_handler.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -353,7 +353,7 @@
 				foreach ($items_info as $id => $field_values) {
 					$object->Clear(); // clear validation errors from previous variable
 					$object->Load($id);
-					$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+					$object->SetFieldsFromHash($field_values);
 					$event->setEventParam('form_data', $field_values);
 
 					if ( !$object->Update($id) ) {
@@ -565,4 +565,4 @@
 			$fields['ModuleOwner']['options'] = $options;
 			$this->Application->setUnitOption($event->Prefix, 'Fields', $fields);
 		}
-	}
\ No newline at end of file
+	}
Index: branches/5.2.x/core/units/content/content_eh.php
===================================================================
diff -u -N -r15856 -r16016
--- branches/5.2.x/core/units/content/content_eh.php	(.../content_eh.php)	(revision 15856)
+++ branches/5.2.x/core/units/content/content_eh.php	(.../content_eh.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: content_eh.php 15856 2013-07-02 14:56:00Z alex $
+* @version	$Id: content_eh.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -145,7 +145,8 @@
 			/* @var $revision kDBItem */
 
 			list (, $field_values) = each($items_info);
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->SetFieldsFromHash($field_values);
+			$event->setEventParam('form_data', $field_values);
 			$updated = $object->Update();
 
 			if ( $updated ) {
@@ -257,4 +258,4 @@
 
 			return Array (&$object, &$revision);
 		}
-	}
\ No newline at end of file
+	}
Index: branches/5.2.x/core/kernel/db/cat_event_handler.php
===================================================================
diff -u -N -r15781 -r16016
--- branches/5.2.x/core/kernel/db/cat_event_handler.php	(.../cat_event_handler.php)	(revision 15781)
+++ branches/5.2.x/core/kernel/db/cat_event_handler.php	(.../cat_event_handler.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: cat_event_handler.php 15781 2013-05-25 12:51:27Z alex $
+* @version	$Id: cat_event_handler.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -2144,7 +2144,10 @@
 			$object = $event->getObject(Array ('skip_autoload' => true));
 			/* @var $object kDBItem */
 
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->setID($id);
+			$object->SetFieldsFromHash($field_values);
+			$event->setEventParam('form_data', $field_values);
+
 			$field_values['ImportFilename'] = $object->GetDBField('ImportFilename'); //if upload formatter has renamed the file during moving !!!
 			$field_values['ImportSource'] = 2;
 			$field_values['ImportLocalFilename'] = $object->GetDBField('ImportFilename');
@@ -2513,7 +2516,7 @@
 						$cloned_ids = $temp_handler->CloneItems($event->Prefix, $event->Special, Array($original_id), NULL, NULL, NULL, true);
 
 						$object->Load($cloned_ids[0]);
-						$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+						$object->SetFieldsFromHash($field_values);
 						$event->setEventParam('form_data', $field_values);
 
 						// 1a. delete record from CategoryItems (about cloned item) that was automatically created during call of Create method of kCatDBItem
@@ -2535,7 +2538,7 @@
 					}
 					else {
 						// 2. user has pending copy of live item -> just update field values
-						$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+						$object->SetFieldsFromHash($field_values);
 						$event->setEventParam('form_data', $field_values);
 					}
 
@@ -2544,7 +2547,7 @@
 				}
 				else {
 					// 3. already editing pending copy -> just update field values
-					$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+					$object->SetFieldsFromHash($field_values);
 					$event->setEventParam('form_data', $field_values);
 				}
 
@@ -3080,4 +3083,4 @@
 			$object->SetDBField('ResourceId', $this->Application->NextResourceId());
 		}
 	}
-}
\ No newline at end of file
+}
Index: branches/5.2.x/core/units/languages/languages_event_handler.php
===================================================================
diff -u -N -r15608 -r16016
--- branches/5.2.x/core/units/languages/languages_event_handler.php	(.../languages_event_handler.php)	(revision 15608)
+++ branches/5.2.x/core/units/languages/languages_event_handler.php	(.../languages_event_handler.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: languages_event_handler.php 15608 2012-11-06 17:21:28Z alex $
+* @version	$Id: languages_event_handler.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -538,7 +538,8 @@
 				/* @var $object kDBItem */
 
 				$object->setID($id);
-				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+				$object->SetFieldsFromHash($field_values);
+				$event->setEventParam('form_data', $field_values);
 
 				if (!$object->Validate()) {
 					$event->status = kEvent::erFAIL;
@@ -609,7 +610,8 @@
 				/* @var $object kDBItem */
 
 				$object->setID($id);
-				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+				$object->SetFieldsFromHash($field_values);
+				$event->setEventParam('form_data', $field_values);
 
 				if ( !$object->Validate() ) {
 					$event->status = kEvent::erFAIL;
@@ -786,4 +788,4 @@
 				}
 			}
 		}
-	}
\ No newline at end of file
+	}
Index: branches/5.2.x/core/units/translator/translator_event_handler.php
===================================================================
diff -u -N -r15781 -r16016
--- branches/5.2.x/core/units/translator/translator_event_handler.php	(.../translator_event_handler.php)	(revision 15781)
+++ branches/5.2.x/core/units/translator/translator_event_handler.php	(.../translator_event_handler.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: translator_event_handler.php 15781 2013-05-25 12:51:27Z alex $
+* @version	$Id: translator_event_handler.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -143,7 +143,7 @@
 			/* @var $translator kDBItem */
 
 			$field_values = $this->getSubmittedFields($event);
-			$translator->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$translator->SetFieldsFromHash($field_values);
 			$event->setEventParam('form_data', $field_values);
 
 			list($obj_prefix, $field) = $this->getPrefixAndField($event);
@@ -179,4 +179,4 @@
 			$event->redirect = false;
 		}
 
-	}
\ No newline at end of file
+	}
Index: branches/5.2.x/core/units/forms/submission_log/submission_log_eh.php
===================================================================
diff -u -N -r15704 -r16016
--- branches/5.2.x/core/units/forms/submission_log/submission_log_eh.php	(.../submission_log_eh.php)	(revision 15704)
+++ branches/5.2.x/core/units/forms/submission_log/submission_log_eh.php	(.../submission_log_eh.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: submission_log_eh.php 15704 2013-03-15 13:24:48Z alex $
+* @version	$Id: submission_log_eh.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -581,7 +581,8 @@
 			if ($items_info) {
 				foreach ($items_info as $id => $field_values) {
 					$object->setID($id);
-	 				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+	 				$object->SetFieldsFromHash($field_values);
+					$event->setEventParam('form_data', $field_values);
 
 	 				$load_keys = Array (
 	 					'FormSubmissionId' => $object->GetDBField('FormSubmissionId'),
@@ -624,7 +625,8 @@
 			if ($items_info) {
 				foreach ($items_info as $id => $field_values) {
 					$object->setID($id);
-	 				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+	 				$object->SetFieldsFromHash($field_values);
+					$event->setEventParam('form_data', $field_values);
 
 	 				$load_keys = Array (
 	 					'FormSubmissionId' => $object->GetDBField('FormSubmissionId'),
@@ -661,7 +663,9 @@
 			if ($items_info) {
 				foreach ($items_info as $id => $field_values) {
 					$object->setID($id);
-	 				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+	 				$object->SetFieldsFromHash($field_values);
+					$event->setEventParam('form_data', $field_values);
+
 					$object->SetDBField('DraftId', 0);
 
 	 				$load_keys = Array (
@@ -683,4 +687,4 @@
 			$this->Application->SetVar($event->getPrefixSpecial() . '_SaveEvent', 'OnCreate');
 			$event->redirect = false;
 		}
-	}
\ No newline at end of file
+	}
Index: branches/5.2.x/core/units/helpers/brackets_helper.php
===================================================================
diff -u -N -r15145 -r16016
--- branches/5.2.x/core/units/helpers/brackets_helper.php	(.../brackets_helper.php)	(revision 15145)
+++ branches/5.2.x/core/units/helpers/brackets_helper.php	(.../brackets_helper.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: brackets_helper.php 15145 2012-03-04 09:04:08Z alex $
+* @version	$Id: brackets_helper.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -268,7 +268,7 @@
 
 					if (in_array($item_id, $stored_ids)) { //if it's already exist
 						$object->Load($item_id);
-						$object->SetFieldsFromHash($values/*, $this->getRequestProtectedFields($values)*/);
+						$object->SetFieldsFromHash($values);
 						if (!$object->Validate()) {
 							unset($stored_ids[array_search($item_id, $stored_ids)]);
 							$event->redirect = false;
@@ -288,7 +288,7 @@
 					}
 					else {
 						$object->Clear();
-						$object->SetFieldsFromHash($values/*, $this->getRequestProtectedFields($values)*/);
+						$object->SetFieldsFromHash($values);
 						$object->SetDBField($linked_info['ForeignKey'], $linked_info['ParentId']);
 
 						if ($object->Create()) {
@@ -473,4 +473,4 @@
 			}
 		}
 
-	}
\ No newline at end of file
+	}
Index: branches/5.2.x/core/kernel/db/db_event_handler.php
===================================================================
diff -u -N -r16001 -r16016
--- branches/5.2.x/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 16001)
+++ branches/5.2.x/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: db_event_handler.php 16001 2013-12-02 14:45:25Z alex $
+* @version	$Id: db_event_handler.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -400,29 +400,6 @@
 		}
 
 		/**
-		 * Returns fields, that are not allowed to be changed from request
-		 *
-		 * @param Array $hash
-		 * @return Array
-		 * @access protected
-		 */
-		protected function getRequestProtectedFields($hash)
-		{
-			// by default don't allow changing ID or foreign key from request
-			$fields = Array ();
-			$fields[] = $this->Application->getUnitOption($this->Prefix, 'IDField');
-
-			$parent_prefix = $this->Application->getUnitOption($this->Prefix, 'ParentPrefix');
-
-			if ( $parent_prefix && !$this->Application->isAdmin ) {
-				$foreign_key = $this->Application->getUnitOption($this->Prefix, 'ForeignKey');
-				$fields[] = is_array($foreign_key) ? $foreign_key[$parent_prefix] : $foreign_key;
-			}
-
-			return $fields;
-		}
-
-		/**
 		 * Removes any information about current/selected ids
 		 * from Application variables and Session
 		 *
@@ -1575,7 +1552,8 @@
 			}
 
 			list($id, $field_values) = each($items_info);
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->setID($id);
+			$object->SetFieldsFromHash($field_values);
 			$event->setEventParam('form_data', $field_values);
 
 			$this->customProcessing($event, 'before');
@@ -1590,7 +1568,6 @@
 			$event->redirect = false;
 			$event->status = kEvent::erFAIL;
 			$this->Application->SetVar($event->getPrefixSpecial() . '_SaveEvent', 'OnCreate');
-			$object->setID($id);
 		}
 
 		/**
@@ -1629,7 +1606,7 @@
 			if ( $items_info ) {
 				foreach ($items_info as $id => $field_values) {
 					$object->Load($id);
-					$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+					$object->SetFieldsFromHash($field_values);
 					$event->setEventParam('form_data', $field_values);
 					$this->customProcessing($event, 'before');
 
@@ -2203,8 +2180,9 @@
 			$object = $event->getObject( Array('skip_autoload' => true) );
 			/* @var $object kDBItem */
 
+			$object->setID(0);
 			$field_values = $this->getSubmittedFields($event);
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->SetFieldsFromHash($field_values);
 			$event->setEventParam('form_data', $field_values);
 			$this->customProcessing($event, 'before');
 
@@ -2215,7 +2193,6 @@
 			else {
 				$event->status = kEvent::erFAIL;
 				$event->redirect = false;
-				$object->setID(0);
 			}
 		}
 
@@ -3453,7 +3430,7 @@
 
 			list ($id, $field_values) = each($items_info);
 			$object->Load($id);
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->SetFieldsFromHash($field_values);
 			$event->setEventParam('form_data', $field_values);
 			$object->setID($id);
 
@@ -3595,4 +3572,4 @@
 		{
 			$event->setEventParam('constrain_info', Array ('', ''));
 		}
-	}
\ No newline at end of file
+	}
Index: branches/5.2.x/core/units/config_search/config_search_event_handler.php
===================================================================
diff -u -N -r15145 -r16016
--- branches/5.2.x/core/units/config_search/config_search_event_handler.php	(.../config_search_event_handler.php)	(revision 15145)
+++ branches/5.2.x/core/units/config_search/config_search_event_handler.php	(.../config_search_event_handler.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: config_search_event_handler.php 15145 2012-03-04 09:04:08Z alex $
+* @version	$Id: config_search_event_handler.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -142,6 +142,7 @@
 			$cf_search['ModuleName'] = $this->Conn->GetOne($sql);
 
 			$object->SetFieldsFromHash($cf_search);
+			$event->setEventParam('form_data', $cf_search);
 			$object->SetDBField('CustomFieldId', $custom_id);
 
 			if ( $object->isLoaded() ) {
@@ -151,4 +152,4 @@
 				$object->Create();
 			}
 		}
-	}
\ No newline at end of file
+	}
Index: branches/5.2.x/core/kernel/db/dbitem.php
===================================================================
diff -u -N -r16001 -r16016
--- branches/5.2.x/core/kernel/db/dbitem.php	(.../dbitem.php)	(revision 16001)
+++ branches/5.2.x/core/kernel/db/dbitem.php	(.../dbitem.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: dbitem.php 16001 2013-12-02 14:45:25Z alex $
+* @version	$Id: dbitem.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -285,22 +285,22 @@
 
 	/**
 	 * Sets item' fields corresponding to elements in passed $hash values.
-	 *
 	 * The function sets current item fields to values passed in $hash, by matching $hash keys with field names
 	 * of current item. If current item' fields are unknown {@link kDBItem::PrepareFields()} is called before actually setting the fields
 	 *
-	 * @param Array $hash
-	 * @param Array $skip_fields Optional param, field names in target object not to set, other fields will be set
+	 * @param Array $hash       Fields hash.
 	 * @param Array $set_fields Optional param, field names in target object to set, other fields will be skipped
+	 *
 	 * @return void
-	 * @access public
 	 */
-	public function SetFieldsFromHash($hash, $skip_fields = Array (), $set_fields = Array ())
+	public function SetFieldsFromHash($hash, $set_fields = Array ())
 	{
 		if ( !$set_fields ) {
 			$set_fields = array_keys($hash);
 		}
 
+		$skip_fields = $this->getRequestProtectedFields($hash);
+
 		if ( $skip_fields ) {
 			$set_fields = array_diff($set_fields, $skip_fields);
 		}
@@ -319,23 +319,42 @@
 	}
 
 	/**
+	 * Returns fields, that are not allowed to be changed from request.
+	 *
+	 * @param array $fields_hash Fields hash.
+	 *
+	 * @return array
+	 */
+	protected function getRequestProtectedFields(array $fields_hash)
+	{
+		// don't allow changing ID
+		$fields = Array ();
+		$fields[] = $this->Application->getUnitOption($this->Prefix, 'IDField');
+
+		$parent_prefix = $this->Application->getUnitOption($this->Prefix, 'ParentPrefix');
+
+		if ( $parent_prefix && $this->isLoaded() && !$this->Application->isAdmin ) {
+			// don't allow changing foreign key of existing item from request
+			$foreign_key = $this->Application->getUnitOption($this->Prefix, 'ForeignKey');
+			$fields[] = is_array($foreign_key) ? $foreign_key[$parent_prefix] : $foreign_key;
+		}
+
+		return $fields;
+	}
+
+	/**
 	 * Sets object fields from $hash array
 	 * @param Array $hash
-	 * @param Array|null $skip_fields
 	 * @param Array|null $set_fields
 	 * @return void
 	 * @access public
 	 */
-	public function SetDBFieldsFromHash($hash, $skip_fields = Array (), $set_fields = Array ())
+	public function SetDBFieldsFromHash($hash, $set_fields = Array ())
 	{
 		if ( !$set_fields ) {
 			$set_fields = array_keys($hash);
 		}
 
-		if ( $skip_fields ) {
-			$set_fields = array_diff($set_fields, $skip_fields);
-		}
-
 		$set_fields = array_intersect($set_fields, array_keys($this->Fields));
 
 		foreach ($set_fields as $field_name) {
@@ -1575,4 +1594,4 @@
 		return array_shift($status_fields);
 	}
 
-}
\ No newline at end of file
+}
Index: branches/5.2.x/core/units/admin/admin_events_handler.php
===================================================================
diff -u -N -r15728 -r16016
--- branches/5.2.x/core/units/admin/admin_events_handler.php	(.../admin_events_handler.php)	(revision 15728)
+++ branches/5.2.x/core/units/admin/admin_events_handler.php	(.../admin_events_handler.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: admin_events_handler.php 15728 2013-04-11 16:41:23Z alex $
+* @version	$Id: admin_events_handler.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -640,8 +640,10 @@
 		$object = $event->getObject(Array ('skip_autoload' => true));
 		/* @var $object kDBItem */
 
+		$object->setID(0);
 		$field_values = $this->getSubmittedFields($event);
-		$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+		$object->SetFieldsFromHash($field_values);
+		$event->setEventParam('form_data', $field_values);
 
 		$event->redirect = false;
 		$result = 'required';
@@ -1235,4 +1237,4 @@
 
 		return $ret;
 	}
-}
\ No newline at end of file
+}
Index: branches/5.2.x/core/units/users/users_event_handler.php
===================================================================
diff -u -N -r16012 -r16016
--- branches/5.2.x/core/units/users/users_event_handler.php	(.../users_event_handler.php)	(revision 16012)
+++ branches/5.2.x/core/units/users/users_event_handler.php	(.../users_event_handler.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: users_event_handler.php 16012 2014-03-17 21:34:37Z alex $
+* @version	$Id: users_event_handler.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -53,26 +53,6 @@
 		}
 
 		/**
-		 * Returns fields, that are not allowed to be changed from request
-		 *
-		 * @param Array $hash
-		 * @return Array
-		 * @access protected
-		 */
-		protected function getRequestProtectedFields($hash)
-		{
-			$fields = parent::getRequestProtectedFields($hash);
-
-			$fields = array_merge($fields, Array ('PrevEmails', 'ResourceId', 'IPAddress', 'IsBanned', 'PwResetConfirm', 'PwRequestTime', 'OldStyleLogin'));
-
-			if ( !$this->Application->isAdmin ) {
-				$fields = array_merge($fields, Array ('UserType', 'Status', 'EmailVerified', 'IsBanned'));
-			}
-
-			return $fields;
-		}
-
-		/**
 		 * Builds item (loads if needed)
 		 *
 		 * Pattern: Prototype Manager
@@ -282,8 +262,7 @@
 			$object = $event->getObject( Array ('form_name' => 'login') );
 			/* @var $object kDBItem */
 
-			$field_values = $this->getSubmittedFields($event);
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->SetFieldsFromHash($this->getSubmittedFields($event));
 			$username = $object->GetDBField('UserLogin');
 			$password = $object->GetDBField('UserPassword');
 			$remember_login = $object->GetDBField('UserRememberLogin') == 1;
@@ -432,7 +411,7 @@
 				$this->Application->SetVar($event->getPrefixSpecial(true), Array ($object->GetID() => $field_values));
 			}
 
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->SetFieldsFromHash($field_values);
 			$event->setEventParam('form_data', $field_values);
 
 			$status = $object->isLoaded() ? $object->Update() : $object->Create();
@@ -643,8 +622,7 @@
 			$object = $event->getObject( Array ('form_name' => 'recommend') );
 			/* @var $object kDBItem */
 
-			$field_values = $this->getSubmittedFields($event);
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->SetFieldsFromHash($this->getSubmittedFields($event));
 
 			if ( !$object->ValidateField('RecommendEmail') ) {
 				$event->status = kEvent::erFAIL;
@@ -690,8 +668,10 @@
 					$object->Load($id);
 				}
 
-				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 				$object->setID($id);
+				$object->SetFieldsFromHash($field_values);
+				$event->setEventParam('form_data', $field_values);
+
 				$object->Validate();
 			}
 
@@ -713,8 +693,7 @@
 			$object = $event->getObject( Array ('form_name' => 'subscription') );
 			/* @var $object UsersItem */
 
-			$field_values = $this->getSubmittedFields($event);
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->SetFieldsFromHash($this->getSubmittedFields($event));
 
 			if ( !$object->ValidateField('SubscriberEmail') ) {
 				$event->status = kEvent::erFAIL;
@@ -848,8 +827,7 @@
 			$object = $event->getObject( Array ('form_name' => 'forgot_password') );
 			/* @var $object kDBItem */
 
-			$field_values = $this->getSubmittedFields($event);
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->SetFieldsFromHash($this->getSubmittedFields($event));
 
 			$user = $this->Application->recallObject('u.tmp', null, Array ('skip_autoload' => true));
 			/* @var $user UsersItem */
@@ -1083,9 +1061,11 @@
 			$object = $event->getObject( Array ('skip_autoload' => true) );
 			/* @var $object kDBItem */
 
-			$object->setID($id);
 			$object->IgnoreValidation = true;
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+
+			$object->setID($id);
+			$object->SetFieldsFromHash($field_values);
+			$event->setEventParam('form_data', $field_values);
 		}
 
 		/**
@@ -1198,8 +1178,10 @@
 
 				$this->RemoveRequiredFields($object);
 				$object->SetDBField('RootPassword', $this->Application->ConfigValue('RootPass'));
-				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+
 				$object->setID(-1);
+				$object->SetFieldsFromHash($field_values);
+				$event->setEventParam('form_data', $field_values);
 
 				if ( $object->Validate() ) {
 					// validation on, password match too
@@ -1215,9 +1197,12 @@
 				}
 			}
 			else {
+				/** @var kDBItem $object */
 				$object = $event->getObject();
-				$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
 
+				$object->SetFieldsFromHash($field_values);
+				$event->setEventParam('form_data', $field_values);
+
 				if ( !$object->Update() ) {
 					$event->status = kEvent::erFAIL;
 					$event->redirect = false;
Index: branches/5.2.x/core/units/selectors/selectors_event_handler.php
===================================================================
diff -u -N -r15145 -r16016
--- branches/5.2.x/core/units/selectors/selectors_event_handler.php	(.../selectors_event_handler.php)	(revision 15145)
+++ branches/5.2.x/core/units/selectors/selectors_event_handler.php	(.../selectors_event_handler.php)	(revision 16016)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: selectors_event_handler.php 15145 2012-03-04 09:04:08Z alex $
+* @version	$Id: selectors_event_handler.php 16016 2014-03-19 20:18:21Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -218,14 +218,17 @@
 						$object->Load($parent_id);
 					}
 
-					$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+					$object->setID(0);
+					$object->SetFieldsFromHash($field_values);
+					$event->setEventParam('form_data', $field_values);
 					$object->Create();
 
 					$this->Application->SetVar($event->getPrefixSpecial() . '_id', $object->GetID());
 				}
 				else {
 					$object->Load($id);
-					$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+					$object->SetFieldsFromHash($field_values);
+					$event->setEventParam('form_data', $field_values);
 					$object->Update();
 				}
 			}
@@ -425,7 +428,9 @@
 			/* @var $object SelectorsItem */
 
 			$field_values = $this->getSubmittedFields($event);
-			$object->SetFieldsFromHash($field_values, $this->getRequestProtectedFields($field_values));
+			$object->SetFieldsFromHash($field_values);
+			$event->setEventParam('form_data', $field_values);
+
 			$object->ResetStyle();
 
 			$event->SetRedirectParam('pass', 'all,' . $event->getPrefixSpecial());
@@ -450,4 +455,4 @@
 				}
 			}
 		}
-	}
\ No newline at end of file
+	}