FIX: min/max username length limits weren't validated (#17382)

* FIX: min/max username length limits weren't validated The custom validators introduced in e0d7cda made so we ignored the mix and max values set on site_settings.yml. That change allowed admins to set values outside of the range defined on the yaml file. Related to https://meta.discourse.org/t/group-names-with-more-than-60-characters-broken/232115?u=falco Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2025-02-25 18:55:32 -06:00 · 2022-07-08 12:00:47 -03:00
parent 4c1b8e736d
commit 75e40baa64
6 changed files with 61 additions and 8 deletions
--- a/spec/lib/validators/max_username_length_validator_spec.rb
+++ b/spec/lib/validators/max_username_length_validator_spec.rb
@@ -2,13 +2,32 @@

 describe MaxUsernameLengthValidator do
  it "checks for minimum range" do
-    SiteSetting.min_username_length = 6
+    User.update_all('username = username || username')
+    SiteSetting.min_username_length = 9

    validator = described_class.new
-    expect(validator.valid_value?(5)).to eq(false)
+    expect(validator.valid_value?(8)).to eq(false)
    expect(validator.error_message).to eq(I18n.t("site_settings.errors.max_username_length_range"))
  end

+  context "checks for valid ranges" do
+    it "fails for values below the valid range" do
+      expect do
+        SiteSetting.max_username_length = 5
+      end.to raise_error(Discourse::InvalidParameters)
+    end
+    it "fails for values above the valid range" do
+      expect do
+        SiteSetting.max_username_length = 61
+      end.to raise_error(Discourse::InvalidParameters)
+    end
+    it "works for values within the valid range" do
+      expect do
+        SiteSetting.max_username_length = 42
+      end.not_to raise_error
+    end
+  end
+
  it "checks for users with short usernames" do
    user = Fabricate(:user, username: 'jackjackjack')

--- a/spec/lib/validators/min_username_length_validator_spec.rb
+++ b/spec/lib/validators/min_username_length_validator_spec.rb
@@ -9,6 +9,24 @@ describe MinUsernameLengthValidator do
    expect(validator.error_message).to eq(I18n.t("site_settings.errors.min_username_length_range"))
  end

+  context "checks for valid ranges" do
+    it "fails for values below the valid range" do
+      expect do
+        SiteSetting.min_username_length = 0
+      end.to raise_error(Discourse::InvalidParameters)
+    end
+    it "fails for values above the valid range" do
+      expect do
+        SiteSetting.min_username_length = 61
+      end.to raise_error(Discourse::InvalidParameters)
+    end
+    it "works for values within the valid range" do
+      expect do
+        SiteSetting.min_username_length = 4
+      end.not_to raise_error
+    end
+  end
+
  it "checks for users with short usernames" do
    user = Fabricate(:user, username: 'jack')