From 7be9ade5f4adda657b9ddabf46aa40f6ec6e6e51 Mon Sep 17 00:00:00 2001
From: Pavel Dohnal <pavel.dohnal@automattic.com>
Date: Thu, 25 Jul 2024 14:29:36 +0200
Subject: [PATCH] Prevent updating WordPress users data

[MAILPOET-6168]
---
 doc/api_methods/UpdateSubscriber.md              |  2 ++
 mailpoet/lib/API/MP/v1/Subscribers.php           |  8 +++++++-
 .../tests/integration/API/MP/SubscribersTest.php | 16 +++++++++++++++-
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/doc/api_methods/UpdateSubscriber.md b/doc/api_methods/UpdateSubscriber.md
index b6ec500542..b5964c65b8 100644
--- a/doc/api_methods/UpdateSubscriber.md
+++ b/doc/api_methods/UpdateSubscriber.md
@@ -9,6 +9,8 @@ The argument `$subscriber` is similar to [Add Subscriber](AddSubscriber.md) meth
 
 It returns the updated subscriber. See [Get Subscriber](GetSubscriber.md) for a subscriber data structure.
 
+If the subscriber is a WordPress user, the method does not allow updating `email`, `first_name` and `last_name`. It needs to be updated in the `wp_users` and MailPoet will synchronise the new values.
+
 ## Arguments
 
 | Argument             | Type          | Description                               |
diff --git a/mailpoet/lib/API/MP/v1/Subscribers.php b/mailpoet/lib/API/MP/v1/Subscribers.php
index 282608983a..da21422530 100644
--- a/mailpoet/lib/API/MP/v1/Subscribers.php
+++ b/mailpoet/lib/API/MP/v1/Subscribers.php
@@ -177,6 +177,12 @@ class Subscribers {
     // filter out all incoming data that we don't want to change, like status ...
     $defaultFields = array_intersect_key($defaultFields, array_flip(['email', 'first_name', 'last_name', 'subscribed_ip']));
 
+    if ($subscriber->getWpUserId() !== null) {
+      unset($defaultFields['email']);
+      unset($defaultFields['first_name']);
+      unset($defaultFields['last_name']);
+    };
+
     if (empty($defaultFields['subscribed_ip'])) {
       $defaultFields['subscribed_ip'] = Helpers::getIP();
     }
@@ -201,7 +207,7 @@ class Subscribers {
         APIException::FAILED_TO_SAVE_SUBSCRIBER
       );
     }
-    
+
     return $this->subscribersResponseBuilder->build($subscriberEntity);
   }
 
diff --git a/mailpoet/tests/integration/API/MP/SubscribersTest.php b/mailpoet/tests/integration/API/MP/SubscribersTest.php
index 1471373db4..14f3b1ce83 100644
--- a/mailpoet/tests/integration/API/MP/SubscribersTest.php
+++ b/mailpoet/tests/integration/API/MP/SubscribersTest.php
@@ -810,10 +810,24 @@ class SubscribersTest extends \MailPoetTest {
     $this->assertEquals('new value', $result['cf_' . $customField->getId()]);
   }
 
+  public function testUpdateSubscriberWordPressUser() {
+    $subscriber = $this->subscriberFactory->create();
+    $subscriber->setWpUserId(4);
+    $this->entityManager->flush();
+
+    $result = $this->getApi()->updateSubscriber($subscriber->getId(), [
+      'email' => 'newemail@example.com',
+      'first_name' => 'New Name',
+    ]);
+
+    $this->assertEquals($subscriber->getEmail(), $result['email']);
+    $this->assertEquals($subscriber->getFirstName(), $result['first_name']);
+  }
+
   public function testUpdateSubscriberFailsForNonExisting() {
     $this->expectException(APIException::class);
     $this->expectExceptionMessage('This subscriber does not exist.');
-    
+
     $this->getApi()->updateSubscriber('non existing', [
       'email' => 'newemail@example.com',
       'first_name' => 'New Name',