92c92,93
<         if ($input->submitted && ($input->action == 'insert' || $input->action == 'update')) {
---
>         if (($input->submitted && $input->action != 'changeUserStatus')
>                 || in_array($input->action, array('insert', 'update'))) {
148,152c149,170
<             require_once SGL_CORE_DIR . '/Emailer.php';
<             $input->user->email =
<                 SGL_Emailer::cleanMailInjection($input->user->email);
<             $input->user->username =
<                 SGL_Emailer::cleanMailInjection($input->user->username);
---
>             if (!empty($input->user->email)) {
>                 $input->user->email =
>                     SGL_Emailer::cleanMailInjection($input->user->email);
>                 $input->user->username =
>                     SGL_Emailer::cleanMailInjection($input->user->username);
>             }
> 
>             //  check for hacks - only admin user can set certain attributes
>             if ((SGL_Session::getUid() != SGL_ADMIN
>                     && count(array_filter(array_flip($req->get('user')), array($this, 'containsDisallowedKeys'))))) {
>                 $msg = 'Hack attempted by ' .$_SERVER['REMOTE_ADDR'] . ', IP logged';
>                 if (SGL_Session::getRoleId() > SGL_GUEST) {
>                     $msg .= ', user id ' . SGL_Session::getUid();
>                 }
>                 SGL_Session::destroy();
>                 SGL::raiseMsg($msg, false);
>                 SGL::logMessage($msg, PEAR_LOG_CRIT);
> 
>                 $input->template = 'docBlank.html';
>                 $this->validated = false;
>                 return false;
>             }
169a188,193
>     function containsDisallowedKeys($var)
>     {
>         $disAllowedKeys = array('role_id', 'organisation_id', 'is_acct_active');
>         return in_array($var, $disAllowedKeys);
>     }
>