create a demo user on startup and prevent any profile modification

src/main/java/com/commafeed/backend/StartupBean.java

@@ -34,7 +34,8 @@ import com.google.api.client.util.Lists;
 public class StartupBean {
 
 	private static Logger log = LoggerFactory.getLogger(StartupBean.class);
-	public static final String ADMIN_NAME = "admin";
+	public static final String USERNAME_ADMIN = "admin";
+	public static final String USERNAME_DEMO = "demo";
 
 	@Inject
 	FeedDAO feedDAO;
@@ -83,8 +84,9 @@ public class StartupBean {
 	private void initialData() {
 		log.info("Populating database with default values");
 		applicationSettingsService.save(new ApplicationSettings());
-		userService.register(ADMIN_NAME, "admin",
+		userService.register(USERNAME_ADMIN, "admin",
 				Arrays.asList(Role.ADMIN, Role.USER));
+		userService.register(USERNAME_DEMO, "demo", Arrays.asList(Role.USER));
 	}
 
 	public long getStartupTime() {

src/main/java/com/commafeed/frontend/rest/resources/AdminREST.java

@@ -58,7 +58,7 @@ public class AdminREST extends AbstractResourceREST {
 			}
 		} else {
 			User user = userDAO.findById(id);
-			if (StartupBean.ADMIN_NAME.equals(user.getName())
+			if (StartupBean.USERNAME_ADMIN.equals(user.getName())
 					&& !userModel.isEnabled()) {
 				return Response.status(Status.FORBIDDEN)
 						.entity("You cannot disable the admin user.").build();
@@ -75,7 +75,7 @@ public class AdminREST extends AbstractResourceREST {
 			if (userModel.isAdmin() && !roles.contains(Role.ADMIN)) {
 				userRoleDAO.save(new UserRole(user, Role.ADMIN));
 			} else if (!userModel.isAdmin() && roles.contains(Role.ADMIN)) {
-				if (StartupBean.ADMIN_NAME.equals(user.getName())) {
+				if (StartupBean.USERNAME_ADMIN.equals(user.getName())) {
 					return Response
 							.status(Status.FORBIDDEN)
 							.entity("You cannot remove the admin role from the admin user.")
@@ -146,7 +146,7 @@ public class AdminREST extends AbstractResourceREST {
 		if (user == null) {
 			return Response.status(Status.NOT_FOUND).build();
 		}
-		if (StartupBean.ADMIN_NAME.equals(user.getName())) {
+		if (StartupBean.USERNAME_ADMIN.equals(user.getName())) {
 			return Response.status(Status.FORBIDDEN)
 					.entity("You cannot delete the admin user.").build();
 		}

src/main/java/com/commafeed/frontend/rest/resources/UserREST.java

@@ -8,10 +8,11 @@ import javax.ws.rs.core.Response.Status;
 
 import org.apache.commons.lang.StringUtils;
 
+import com.commafeed.backend.StartupBean;
 import com.commafeed.backend.model.User;
 import com.commafeed.backend.model.UserRole;
-import com.commafeed.backend.model.UserSettings;
 import com.commafeed.backend.model.UserRole.Role;
+import com.commafeed.backend.model.UserSettings;
 import com.commafeed.backend.model.UserSettings.ReadingMode;
 import com.commafeed.backend.model.UserSettings.ReadingOrder;
 import com.commafeed.frontend.model.Settings;
@@ -89,6 +90,9 @@ public class UserREST extends AbstractResourceREST {
 	public Response save(
 			@ApiParam(required = true) ProfileModificationRequest request) {
 		User user = getUser();
+		if (StartupBean.USERNAME_DEMO.equals(user.getName())) {
+			return Response.status(Status.UNAUTHORIZED).build();
+		}
 		user.setEmail(request.getEmail());
 		if (StringUtils.isNotBlank(request.getPassword())) {
 			byte[] password = encryptionService.getEncryptedPassword(