From 672fb35bcbb47e4c0331813aa837fee28f372471 Mon Sep 17 00:00:00 2001 From: kolaente Date: Sun, 12 Mar 2023 15:02:34 +0100 Subject: [PATCH] fix: check if usernames contain spaces when creating a new user --- docs/content/doc/usage/errors.md | 38 +++++++++++++++++--------------- pkg/user/error.go | 27 +++++++++++++++++++++++ pkg/user/user_create.go | 10 ++++++++- pkg/user/user_test.go | 13 +++++++++++ 4 files changed, 69 insertions(+), 19 deletions(-) diff --git a/docs/content/doc/usage/errors.md b/docs/content/doc/usage/errors.md index faf4ef548..76405c1c1 100644 --- a/docs/content/doc/usage/errors.md +++ b/docs/content/doc/usage/errors.md @@ -24,24 +24,26 @@ This document describes the different errors Vikunja can return. | ErrorCode | HTTP Status Code | Description | |-----------|------------------|-------------| -| 1001 | 400 | A user with this username already exists. | -| 1002 | 400 | A user with this email address already exists. | -| 1004 | 400 | No username and password specified. | -| 1005 | 404 | The user does not exist. | -| 1006 | 400 | Could not get the user id. | -| 1008 | 412 | No password reset token provided. | -| 1009 | 412 | Invalid password reset token. | -| 1010 | 412 | Invalid email confirm token. | -| 1011 | 412 | Wrong username or password. | -| 1012 | 412 | Email address of the user not confirmed. | -| 1013 | 412 | New password is empty. | -| 1014 | 412 | Old password is empty. | -| 1015 | 412 | Totp is already enabled for this user. | -| 1016 | 412 | Totp is not enabled for this user. | -| 1017 | 412 | The provided Totp passcode is invalid. | -| 1018 | 412 | The provided user avatar provider type setting is invalid. | -| 1019 | 412 | No openid email address was provided. | -| 1020 | 412 | This user account is disabled. | +| 1001 | 400 | A user with this username already exists. | +| 1002 | 400 | A user with this email address already exists. | +| 1004 | 400 | No username and password specified. | +| 1005 | 404 | The user does not exist. | +| 1006 | 400 | Could not get the user id. | +| 1008 | 412 | No password reset token provided. | +| 1009 | 412 | Invalid password reset token. | +| 1010 | 412 | Invalid email confirm token. | +| 1011 | 412 | Wrong username or password. | +| 1012 | 412 | Email address of the user not confirmed. | +| 1013 | 412 | New password is empty. | +| 1014 | 412 | Old password is empty. | +| 1015 | 412 | Totp is already enabled for this user. | +| 1016 | 412 | Totp is not enabled for this user. | +| 1017 | 412 | The provided Totp passcode is invalid. | +| 1018 | 412 | The provided user avatar provider type setting is invalid. | +| 1019 | 412 | No openid email address was provided. | +| 1020 | 412 | This user account is disabled. | +| 1021 | 412 | This account is managed by a third-party authentication provider. | +| 1021 | 412 | The username must not contain spaces. | ## Validation diff --git a/pkg/user/error.go b/pkg/user/error.go index 88c4f5766..a5ac4a37e 100644 --- a/pkg/user/error.go +++ b/pkg/user/error.go @@ -479,3 +479,30 @@ func (err *ErrAccountIsNotLocal) HTTPError() web.HTTPError { Message: "This account is managed by a third-party authentication provider.", } } + +// ErrUsernameMustNotContainSpaces represents a "UsernameMustNotContainSpaces" kind of error. +type ErrUsernameMustNotContainSpaces struct { + Username string +} + +// IsErrUsernameMustNotContainSpaces checks if an error is a ErrUsernameMustNotContainSpaces. +func IsErrUsernameMustNotContainSpaces(err error) bool { + _, ok := err.(*ErrUsernameMustNotContainSpaces) + return ok +} + +func (err *ErrUsernameMustNotContainSpaces) Error() string { + return "username must not contain spaces" +} + +// ErrCodeUsernameMustNotContainSpaces holds the unique world-error code of this error +const ErrCodeUsernameMustNotContainSpaces = 1022 + +// HTTPError holds the http error description +func (err *ErrUsernameMustNotContainSpaces) HTTPError() web.HTTPError { + return web.HTTPError{ + HTTPCode: http.StatusPreconditionFailed, + Code: ErrCodeUsernameMustNotContainSpaces, + Message: "The username must not contain spaces.", + } +} diff --git a/pkg/user/user_create.go b/pkg/user/user_create.go index 59b619471..cb01fc048 100644 --- a/pkg/user/user_create.go +++ b/pkg/user/user_create.go @@ -17,6 +17,8 @@ package user import ( + "strings" + "code.vikunja.io/api/pkg/config" "code.vikunja.io/api/pkg/events" "code.vikunja.io/api/pkg/notifications" @@ -33,7 +35,7 @@ func CreateUser(s *xorm.Session, user *User) (newUser *User, err error) { user.Issuer = IssuerLocal } - // Check if we have all needed information + // Check if we have all required information err = checkIfUserIsValid(user) if err != nil { return nil, err @@ -128,6 +130,12 @@ func checkIfUserIsValid(user *User) error { return ErrNoUsernamePassword{} } + if strings.Contains(user.Username, " ") { + return &ErrUsernameMustNotContainSpaces{ + Username: user.Username, + } + } + return nil } diff --git a/pkg/user/user_test.go b/pkg/user/user_test.go index 3b2058783..b339f2101 100644 --- a/pkg/user/user_test.go +++ b/pkg/user/user_test.go @@ -133,6 +133,19 @@ func TestCreateUser(t *testing.T) { }) assert.NoError(t, err) }) + t.Run("space in username", func(t *testing.T) { + db.LoadAndAssertFixtures(t) + s := db.NewSession() + defer s.Close() + + _, err := CreateUser(s, &User{ + Username: "user name", + Password: "12345", + Email: "user1@example.com", + }) + assert.Error(t, err) + assert.True(t, IsErrUsernameMustNotContainSpaces(err)) + }) } func TestGetUser(t *testing.T) {