Item13839: Validate, don't encode username

Fix for 2.0.2 registration was too aggressive.
foswiki · Nov 4, 2015 · f853dd1 · f853dd1
1 parent 5da8166
commit f853dd1
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 5 deletions.
diff --git a/UnitTestContrib/test/unit/ManageDotPmTests.pm b/UnitTestContrib/test/unit/ManageDotPmTests.pm
@@ -641,6 +641,52 @@ sub test_NoUserAddToNewGroupCreate {
     return;
 }
 
+sub test_InvalidUserAddToNewGroupCreate {
+    my $this = shift;
+    my $ret;
+
+    $ret = $this->addUserToGroup(
+        {
+            'username'  => ['Bad<script>User'],
+            'groupname' => ['NewGroup'],
+            'create'    => [1],
+            'action'    => ['addUserToGroup']
+        }
+    );
+
+    $this->assert_equals( $ret->{status}, 500 );
+    $this->assert_equals( $ret->{def},    'problem_adding_to_group' );
+    $this->assert_matches( qr/Invalid username/, $ret->{params}[0] );
+
+    #SMELL: TopicUserMapping specific - we don't refresh Groups cache :(
+    $this->assert(
+        Foswiki::Func::topicExists( $this->{users_web}, "NewGroup" ) );
+
+    #need to reload to force Foswiki to reparse Groups :(
+    my $q = $this->{request};
+    $this->createNewFoswikiSession( undef, $q );
+
+    $this->assert(
+        Foswiki::Func::topicExists( $this->{users_web}, "NewGroup" ) );
+
+    $ret = $this->addUserToGroup(
+        {
+            'username'  => ['Us_aaUser'],
+            'groupname' => ['NewGroup'],
+            'create'    => [1],
+            'action'    => ['addUserToGroup']
+        }
+    );
+
+    #need to reload to force Foswiki to reparse Groups :(
+    $q = $this->{request};
+    $this->createNewFoswikiSession( undef, $q );
+
+    $this->assert( Foswiki::Func::isGroupMember( "NewGroup", 'Us_aaUser' ) );
+
+    return;
+}
+
 sub test_NoUserAddToNewGroupCreateAsAdmin {
     my $this = shift;
     my $ret;

diff --git a/core/lib/Foswiki/UserMapping.pm b/core/lib/Foswiki/UserMapping.pm
@@ -566,11 +566,15 @@ sub validateRegistrationField {
 
     return $_[2] if ( lc( $_[1] ) eq 'loginname' );
 
-    if (   ( lc( $_[1] ) eq 'username' )
-        && length( $_[2] )
-        && !( $_[2] =~ m/$Foswiki::cfg{LoginNameFilterIn}/ ) )
-    {
-        throw Error::Simple( Foswiki::entityEncode("Invalid $_[1]") );
+    if ( lc( $_[1] ) eq 'username' ) {
+        if ( length( $_[2] )
+            && !( $_[2] =~ m/$Foswiki::cfg{LoginNameFilterIn}/ ) )
+        {
+            throw Error::Simple( Foswiki::entityEncode("Invalid $_[1]") );
+        }
+        else {
+            return $_[2];
+        }
     }
 
     # Don't check contents of password - it's never displayed.