From 4c7f6fda37854954a175374c1cb915def956c442 Mon Sep 17 00:00:00 2001 From: cofecatt <60803595+cofecatt@users.noreply.github.com> Date: Mon, 10 Oct 2022 19:58:02 +0800 Subject: [PATCH] fix: Add restriction to username when signing up (#1203) --- controllers/account.go | 6 ++++++ controllers/auth.go | 6 ++++++ controllers/user.go | 12 ++++++++++++ object/check.go | 18 ++++++++++++++++++ object/ldap.go | 1 + object/token.go | 2 +- 6 files changed, 44 insertions(+), 1 deletion(-) diff --git a/controllers/account.go b/controllers/account.go index 091d0e52..8fca5dba 100644 --- a/controllers/account.go +++ b/controllers/account.go @@ -203,6 +203,12 @@ func (c *ApiController) Signup() { } } + msg = object.CheckUsername(user.Name) + if msg != "" { + c.ResponseError(msg) + return + } + affected := object.AddUser(user) if !affected { c.ResponseError(fmt.Sprintf("Failed to create user, user information is invalid: %s", util.StructToJson(user))) diff --git a/controllers/auth.go b/controllers/auth.go index 1ce5ea6e..6124f4fe 100644 --- a/controllers/auth.go +++ b/controllers/auth.go @@ -411,6 +411,12 @@ func (c *ApiController) Login() { // sync info from 3rd-party if possible object.SetUserOAuthProperties(organization, user, provider.Type, userInfo) + msg := object.CheckUsername(user.Name) + if msg != "" { + c.ResponseError(msg) + return + } + affected := object.AddUser(user) if !affected { c.ResponseError(fmt.Sprintf("Failed to create user, user information is invalid: %s", util.StructToJson(user))) diff --git a/controllers/user.go b/controllers/user.go index 678b192e..4b8aa05c 100644 --- a/controllers/user.go +++ b/controllers/user.go @@ -158,6 +158,12 @@ func (c *ApiController) UpdateUser() { columns = strings.Split(columnsStr, ",") } + msg := object.CheckUsername(user.Name) + if msg != "" { + c.ResponseError(msg) + return + } + isGlobalAdmin := c.IsGlobalAdmin() affected := object.UpdateUser(id, &user, columns, isGlobalAdmin) if affected { @@ -183,6 +189,12 @@ func (c *ApiController) AddUser() { return } + msg := object.CheckUsername(user.Name) + if msg != "" { + c.ResponseError(msg) + return + } + c.Data["json"] = wrapActionResponse(object.AddUser(&user)) c.ServeJSON() } diff --git a/object/check.go b/object/check.go index 92acd7c0..c01c9532 100644 --- a/object/check.go +++ b/object/check.go @@ -313,3 +313,21 @@ func CheckAccessPermission(userId string, application *Application) (bool, error } return allowed, err } + +func CheckUsername(name string) string { + if name == "" { + return "Empty username." + } else if len(name) > 39 { + return "Username is too long (maximum is 39 characters)." + } + + // https://stackoverflow.com/questions/58726546/github-username-convention-using-regex + re, _ := regexp.Compile("^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$") + if !re.MatchString(name) { + return fmt.Sprintf("The name '%s' may only contain alphanumeric characters or hyphens, "+ + "cannot have multiple consecutive hyphens, "+ + "and cannot begin or end with a hyphen.", name) + } + + return "" +} diff --git a/object/ldap.go b/object/ldap.go index ac53a9f9..4e2bd062 100644 --- a/object/ldap.go +++ b/object/ldap.go @@ -409,6 +409,7 @@ func SyncLdapUsers(owner string, users []LdapRespUser, ldapId string) (*[]LdapRe } } } + if !found && !AddUser(&User{ Owner: owner, Name: buildLdapUserName(user.Uid, user.UidNumber), diff --git a/object/token.go b/object/token.go index 38c18bcf..0c72ffab 100644 --- a/object/token.go +++ b/object/token.go @@ -703,7 +703,7 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin } // Add new user var name string - if username != "" { + if CheckUsername(username) == "" { name = username } else { name = fmt.Sprintf("wechat-%s", openId)