Rewind a bit. Actually, that recipe you were using was designed to prevent people from updating fields that they aren't supposed to by posting faked form fields. So don't do what I just suggested because people could change their status to superuser or whatever by posting fake form fields.
So you should use still use manipulator.flatten_data, but make sure that you over-ride any posted variables that you don't want the user to be able to change. Kieran
