From 2d340d1122298630cfa785150988e81239e51531 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Fri, 26 Jan 2018 16:53:10 -0500
Subject: [PATCH] FIX: Don't allow username update via update route

It's not using the UsernameChanger
---
 app/controllers/users_controller.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 1e111af4783..f4706ed8582 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -107,6 +107,9 @@ class UsersController < ApplicationController
     guardian.ensure_can_edit!(user)
     attributes = user_params.merge!(custom_fields: params[:custom_fields])
 
+    # We can't update the username via this route. Use the username route
+    attributes.delete(:username)
+
     if params[:user_fields].present?
       attributes[:custom_fields] = {} unless params[:custom_fields].present?