fix: check if usernames contain spaces when creating a new user

2023-03-12 15:02:34 +01:00 · 2023-03-12 15:02:34 +01:00 · 672fb35bcb
parent 1f13b5d7b4
commit 672fb35bcb
4 changed files with 69 additions and 19 deletions
--- a/docs/content/doc/usage/errors.md
+++ b/docs/content/doc/usage/errors.md
@ -24,24 +24,26 @@ This document describes the different errors Vikunja can return.

 | ErrorCode | HTTP Status Code | Description |
 |-----------|------------------|-------------|
-| 1001 | 400 | A user with this username already exists. |
-| 1002 | 400 | A user with this email address already exists. |
-| 1004 | 400 | No username and password specified. |
-| 1005 | 404 | The user does not exist. |
-| 1006 | 400 | Could not get the user id. |
-| 1008 | 412 | No password reset token provided. |
-| 1009 | 412 | Invalid password reset token. |
-| 1010 | 412 | Invalid email confirm token. |
-| 1011 | 412 | Wrong username or password. |
-| 1012 | 412 | Email address of the user not confirmed. |
-| 1013 | 412 | New password is empty. |
-| 1014 | 412 | Old password is empty. |
-| 1015 | 412 | Totp is already enabled for this user. |
-| 1016 | 412 | Totp is not enabled for this user. |
-| 1017 | 412 | The provided Totp passcode is invalid. |
-| 1018 | 412 | The provided user avatar provider type setting is invalid. |
-| 1019 | 412 | No openid email address was provided. |
-| 1020 | 412 | This user account is disabled. |
+| 1001      | 400 | A user with this username already exists. |
+| 1002      | 400 | A user with this email address already exists. |
+| 1004      | 400 | No username and password specified. |
+| 1005      | 404 | The user does not exist. |
+| 1006      | 400 | Could not get the user id. |
+| 1008      | 412 | No password reset token provided. |
+| 1009      | 412 | Invalid password reset token. |
+| 1010      | 412 | Invalid email confirm token. |
+| 1011      | 412 | Wrong username or password. |
+| 1012      | 412 | Email address of the user not confirmed. |
+| 1013      | 412 | New password is empty. |
+| 1014      | 412 | Old password is empty. |
+| 1015      | 412 | Totp is already enabled for this user. |
+| 1016      | 412 | Totp is not enabled for this user. |
+| 1017      | 412 | The provided Totp passcode is invalid. |
+| 1018      | 412 | The provided user avatar provider type setting is invalid. |
+| 1019      | 412 | No openid email address was provided. |
+| 1020      | 412 | This user account is disabled. |
+| 1021      | 412 | This account is managed by a third-party authentication provider. |
+| 1021      | 412 | The username must not contain spaces. |

 ## Validation

--- a/pkg/user/error.go
+++ b/pkg/user/error.go
@ -479,3 +479,30 @@ func (err *ErrAccountIsNotLocal) HTTPError() web.HTTPError {
 		Message:  "This account is managed by a third-party authentication provider.",
 	}
 }
+
+// ErrUsernameMustNotContainSpaces represents a "UsernameMustNotContainSpaces" kind of error.
+type ErrUsernameMustNotContainSpaces struct {
+	Username string
+}
+
+// IsErrUsernameMustNotContainSpaces checks if an error is a ErrUsernameMustNotContainSpaces.
+func IsErrUsernameMustNotContainSpaces(err error) bool {
+	_, ok := err.(*ErrUsernameMustNotContainSpaces)
+	return ok
+}
+
+func (err *ErrUsernameMustNotContainSpaces) Error() string {
+	return "username must not contain spaces"
+}
+
+// ErrCodeUsernameMustNotContainSpaces holds the unique world-error code of this error
+const ErrCodeUsernameMustNotContainSpaces = 1022
+
+// HTTPError holds the http error description
+func (err *ErrUsernameMustNotContainSpaces) HTTPError() web.HTTPError {
+	return web.HTTPError{
+		HTTPCode: http.StatusPreconditionFailed,
+		Code:     ErrCodeUsernameMustNotContainSpaces,
+		Message:  "The username must not contain spaces.",
+	}
+}
--- a/pkg/user/user_create.go
+++ b/pkg/user/user_create.go
@ -17,6 +17,8 @@
 package user

 import (
+	"strings"
+
 	"code.vikunja.io/api/pkg/config"
 	"code.vikunja.io/api/pkg/events"
 	"code.vikunja.io/api/pkg/notifications"
@ -33,7 +35,7 @@ func CreateUser(s *xorm.Session, user *User) (newUser *User, err error) {
 		user.Issuer = IssuerLocal
 	}

-	// Check if we have all needed information
+	// Check if we have all required information
 	err = checkIfUserIsValid(user)
 	if err != nil {
 		return nil, err
@ -128,6 +130,12 @@ func checkIfUserIsValid(user *User) error {
 		return ErrNoUsernamePassword{}
 	}

+	if strings.Contains(user.Username, " ") {
+		return &ErrUsernameMustNotContainSpaces{
+			Username: user.Username,
+		}
+	}
+
 	return nil
 }

--- a/pkg/user/user_test.go
+++ b/pkg/user/user_test.go
@ -133,6 +133,19 @@ func TestCreateUser(t *testing.T) {
 		})
 		assert.NoError(t, err)
 	})
+	t.Run("space in username", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		_, err := CreateUser(s, &User{
+			Username: "user name",
+			Password: "12345",
+			Email:    "user1@example.com",
+		})
+		assert.Error(t, err)
+		assert.True(t, IsErrUsernameMustNotContainSpaces(err))
+	})
 }

 func TestGetUser(t *testing.T) {