aboutsummaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGravatar Alexandre Alapetite <alexandre@alapetite.fr> 2017-02-25 13:08:45 +0100
committerGravatar GitHub <noreply@github.com> 2017-02-25 13:08:45 +0100
commitfb6bb8e826a29c1f94a705ea39ecc052ff59b99f (patch)
tree08643f3a2901fc38aaa0841cebd35fc714842f49 /app
parentb8ac2b1d8ab47642018bd3f0fe6863b69a2743d6 (diff)
parent0bd4b2c74204a2f9360816ab22aac0da4c459824 (diff)
Merge pull request #1423 from plopoyop/feature/username-in-cli
[WIP] Feature/username in cli
Diffstat (limited to 'app')
-rwxr-xr-xapp/Controllers/javascriptController.php2
-rw-r--r--app/Controllers/userController.php14
-rw-r--r--app/Models/Auth.php4
-rw-r--r--app/Models/Feed.php2
-rw-r--r--app/Models/UserDAO.php2
-rw-r--r--app/install.php2
-rw-r--r--app/views/auth/formLogin.phtml2
-rw-r--r--app/views/auth/register.phtml2
-rw-r--r--app/views/user/manage.phtml2
9 files changed, 21 insertions, 11 deletions
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 00a7b5c38..6336106a9 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
header('Pragma: no-cache');
$user = isset($_GET['user']) ? $_GET['user'] : '';
- if (ctype_alnum($user)) {
+ if (FreshRSS_user_Controller::checkUsername($user)) {
try {
$salt = FreshRSS_Context::$system_conf->salt;
$conf = get_user_configuration($user);
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index 9d6ae18e6..593e24cf2 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -35,6 +35,16 @@ class FreshRSS_user_Controller extends Minz_ActionController {
}
/**
+ * The username is also used as folder name, file name, and part of SQL table name.
+ * '_' is a reserved internal username.
+ */
+ const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}';
+
+ public static function checkUsername($username) {
+ return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
+ }
+
+ /**
* This action displays the user profile page.
*/
public function profileAction() {
@@ -104,7 +114,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
$userConfig = array();
}
- $ok = ($new_user_name != '') && ctype_alnum($new_user_name);
+ $ok = self::checkUsername($new_user_name);
if ($ok) {
$languages = Minz_Translate::availableLanguages();
@@ -187,7 +197,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
$db = FreshRSS_Context::$system_conf->db;
require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php');
- $ok = ctype_alnum($username);
+ $ok = self::checkUsername($username);
if ($ok) {
$default_user = FreshRSS_Context::$system_conf->default_user;
$ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user
diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index b3255cfbd..476627e10 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -182,7 +182,7 @@ class FreshRSS_Auth {
class FreshRSS_FormAuth {
public static function checkCredentials($username, $hash, $nonce, $challenge) {
- if (!ctype_alnum($username) ||
+ if (!FreshRSS_user_Controller::checkUsername($username) ||
!ctype_graph($challenge) ||
!ctype_alnum($nonce)) {
Minz_Log::debug('Invalid credential parameters:' .
@@ -211,7 +211,7 @@ class FreshRSS_FormAuth {
// Token has expired (> 1 month) or does not exist.
// TODO: 1 month -> use a configuration instead
@unlink($token_file);
- return array();
+ return array();
}
$credentials = @file_get_contents($token_file);
diff --git a/app/Models/Feed.php b/app/Models/Feed.php
index 97cb1c47e..7a9cf8612 100644
--- a/app/Models/Feed.php
+++ b/app/Models/Feed.php
@@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model {
file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND);
}
$currentUser = Minz_Session::param('currentUser');
- if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) {
+ if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) {
touch($path . '/' . $currentUser . '.txt');
}
}
diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php
index 32bc6de2f..a60caf395 100644
--- a/app/Models/UserDAO.php
+++ b/app/Models/UserDAO.php
@@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo {
}
public static function touch($username = '') {
- if (($username == '') || (!ctype_alnum($username))) {
+ if (!FreshRSS_user_Controller::checkUsername($username)) {
$username = Minz_Session::param('currentUser', '_');
}
return touch(join_path(DATA_PATH , 'users', $username, 'config.php'));
diff --git a/app/install.php b/app/install.php
index 986a7dc60..9a88e0f37 100644
--- a/app/install.php
+++ b/app/install.php
@@ -553,7 +553,7 @@ function printStep2() {
<div class="form-group">
<label class="group-name" for="default_user"><?php echo _t('install.default_user'); ?></label>
<div class="group-controls">
- <input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
+ <input type="text" id="default_user" name="default_user" required="required" size="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
</div>
</div>
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml
index a8213b7ae..99be6059c 100644
--- a/app/views/auth/formLogin.phtml
+++ b/app/views/auth/formLogin.phtml
@@ -9,7 +9,7 @@
<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
<div>
<label for="username"><?php echo _t('gen.auth.username'); ?></label>
- <input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" />
+ <input type="text" id="username" name="username" size="16" required="required" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" autofocus="autofocus" />
</div>
<div>
<label for="passwordPlain"><?php echo _t('gen.auth.password'); ?></label>
diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml
index 1f9976391..23bda25ce 100644
--- a/app/views/auth/register.phtml
+++ b/app/views/auth/register.phtml
@@ -5,7 +5,7 @@
<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
<div>
<label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label>
- <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" />
+ <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" />
</div>
<div>
diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml
index a32247d14..793a3a0bd 100644
--- a/app/views/user/manage.phtml
+++ b/app/views/user/manage.phtml
@@ -22,7 +22,7 @@
<div class="form-group">
<label class="group-name" for="new_user_name"><?php echo _t('admin.user.username'); ?></label>
<div class="group-controls">
- <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" placeholder="demo" />
+ <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" placeholder="demo" />
</div>
</div>
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-18 10:40:50 +0000