I've written the above patch. As we accounted the same problem.
But my solution is a kind of different approach. I choosed to submit the "disabled" fields within the appropriate HTML form too, as the usermanger plugin later correctly checks which values should be changed.
The second thing I've changed was the capability to give an username/loginname in the add user form even when canDo('modLogin')=false was set. This was necessary because we want to use the "plain-auth-file" to save group memberships for our externally authorized users. For me this was a bug in the usermanager too, because how could we add a user when we couldn't specify a login name?! And that only because canDo('modLogin')=false was set, which means to me that the auth backend only isn't capable to MODIFY the login name.
You can see all of our changes according to the usermanager and our new radius auth backend with the following command:
darcs changes \
The interesting patches are:
* user-manager plugin