Better checking for valid site name

2025-04-24 17:22:35 +02:00 · 2014-08-07 01:24:05 -07:00 · 2014-08-07 01:24:05 -07:00 · aab39212ef
commit aab39212ef
parent 3233494281
2 changed files with 49 additions and 1 deletions
--- a/models/site.rb
+++ b/models/site.rb
@ -245,6 +245,10 @@ class Site < Sequel::Model
    filename.gsub(/[^a-zA-Z0-9_\-.]/, '')
  end

+  def self.valid_username?(username)
+    !username.empty? && username.match(/^[a-zA-Z0-9_\-]+$/i)
+  end
+
  def self.valid_file_type?(uploaded_file)
    mime_type = Magic.guess_file_mime_type uploaded_file[:tempfile].path

@ -375,6 +379,10 @@ class Site < Sequel::Model
      errors.add :over_capacity, 'We are currently at capacity, and cannot create your home page. We will fix this shortly. Please come back later and try again, our apologies.'
    end

+    if !self.class.valid_username?(values[:username])
+      errors.add :username, 'A valid user/site name is required.'
+    end
+
    # TODO regex fails for usernames <= 2 chars, tempfix for now.
    if new? && values[:username].length > 2 && !values[:username].match(VALID_HOSTNAME)
      errors.add :username, 'A valid user/site name is required.'
@ -384,7 +392,6 @@ class Site < Sequel::Model
      errors.add :username, 'User/site name cannot exceed 32 characters.'
    end

-
    # Check that email has been provided
    if new? && values[:email].empty?
      errors.add :email, 'An email address is required.'
--- a/tests/acceptance_tests.rb
+++ b/tests/acceptance_tests.rb
@ -16,6 +16,47 @@ describe 'index' do
  end
 end

+describe 'change username' do
+  include Capybara::DSL
+
+  def visit_signup
+    visit '/'
+    click_button 'Create My Website'
+  end
+
+  def fill_in_valid
+    @site = Fabricate.attributes_for(:site)
+    fill_in 'username', with: @site[:username]
+    fill_in 'password', with: @site[:password]
+    fill_in 'email',    with: @site[:email]
+  end
+
+  before do
+    Capybara.reset_sessions!
+    visit_signup
+  end
+
+  it 'does not allow bad usernames' do
+    visit '/'
+    click_button 'Create My Website'
+    fill_in_valid
+    click_button 'Create Home Page'
+    visit '/settings'
+    fill_in 'name', with: ''
+    click_button 'Change Name'
+    fill_in 'name', with: '../hack'
+    click_button 'Change Name'
+    fill_in 'name', with: 'derp../hack'
+    click_button 'Change Name'
+    ## TODO fix this without screwing up legacy sites
+    #fill_in 'name', with: '-'
+    #click_button 'Change Name'
+    page.must_have_content /valid.+name.+required/i
+    Site[username: @site[:username]].wont_equal nil
+    Site[username: ''].must_equal nil
+  end
+end
+
 describe 'signup' do
  include Capybara::DSL