IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: don't allow username to be changed to same as password

Browse Source 
We were blocking user registrations with same username and password,
but allowing usernames to be changed to be same as password later.
Also disallow names to be the same as password.
This commit is contained in:
Neil Lalonde
2019-05-13 16:43:19 -04:00
parent 13e54bca3d
commit 6f747c6b71
5 changed files with 71 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
app/models/user.rb
View File

@@ -106,6 +106,7 @@ class User < ActiveRecord::Base
validates_presence_of :username
validate :username_validator, if: :will_save_change_to_username?
validate :password_validator
validate :name_validator, if: :will_save_change_to_name?
validates :name, user_full_name: true, if: :will_save_change_to_name?, length: { maximum: 255 }
validates :ip_address, allowed_ip_address: { on: :create, message: :signup_not_allowed }
validates :primary_email, presence: true
@@ -1333,20 +1334,34 @@ class User < ActiveRecord::Base
def username_validator
username_format_validator || begin
existing = DB.query(
USERNAME_EXISTS_SQL,
username: self.class.normalize_username(username)
)
if will_save_change_to_username?
existing = DB.query(
USERNAME_EXISTS_SQL,
username: self.class.normalize_username(username)
)
user_id = existing.select { |u| u.is_user }.first&.id
same_user = user_id && user_id == self.id
user_id = existing.select { |u| u.is_user }.first&.id
same_user = user_id && user_id == self.id
if will_save_change_to_username? && existing.present? && !same_user
errors.add(:username, I18n.t(:'user.username.unique'))
if existing.present? && !same_user
errors.add(:username, I18n.t(:'user.username.unique'))
end
if confirm_password?(username) || confirm_password?(username.downcase)
errors.add(:username, :same_as_password)
end
end
end
end
def name_validator
if name.present? &&
(confirm_password?(name) || confirm_password?(name&.downcase))
errors.add(:name, :same_as_password)
end
end
def set_default_categories_preferences
return if self.staged?