api, frontend: restrict profile updates to commento provider

api/commenter_update.go

@@ -54,9 +54,10 @@ func commenterUpdateHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if c.Provider != "commento" {
-		*x.Link = c.Link
-		*x.Photo = c.Photo
+		bodyMarshal(w, response{"success": false, "message": errorCannotUpdateOauthProfile.Error()})
+		return
 	}
+
 	*x.Email = c.Email
 
 	if err = commenterUpdate(c.CommenterHex, *x.Email, *x.Name, *x.Link, *x.Photo, c.Provider); err != nil {

api/errors.go

@@ -49,3 +49,4 @@ var errorInvalidDomain = errors.New("Invalid domain name. Do not include the URL
 var errorInvalidEntity = errors.New("That entity does not exist.")
 var errorCannotDeleteOwnerWithActiveDomains = errors.New("You cannot delete your account until all domains associated with your account are deleted.")
 var errorNoSuchOwner = errors.New("No such owner.")
+var errorCannotUpdateOauthProfile = errors.New("You cannot update the profile of an external account managed by third-party log in. Please use the appropriate platform to update your details.")

frontend/js/commento.js

@@ -314,7 +314,9 @@
     append(loggedInAs, name);
     append(loggedContainer, loggedInAs);
     append(loggedContainer, logoutButton);
+    if (commenter.provider === "commento") {
       append(loggedContainer, profileEditButton);
+    }
     append(loggedContainer, notificationSettingsButton);
     prepend(root, loggedContainer);