From ff93be7a89ad6f352f72c5111580e344139324c5 Mon Sep 17 00:00:00 2001
From: rubenwardy
Date: Thu, 3 Dec 2020 23:31:01 +0000
Subject: [PATCH] Validate forum usernames in the claim form
---
app/blueprints/users/claim.py | 20 ++++++++++++------
app/templates/users/claim.html | 38 ++++++++++++++++++----------------
2 files changed, 34 insertions(+), 24 deletions(-)
diff --git a/app/blueprints/users/claim.py b/app/blueprints/users/claim.py
index ad5aa2c..1a70ee2 100644
--- a/app/blueprints/users/claim.py
+++ b/app/blueprints/users/claim.py
@@ -17,11 +17,14 @@
from . import bp
from flask import redirect, render_template, session, request, flash, url_for
-from flask_user import current_user
from app.models import db, User, UserRank
-from app.utils import randomString, loginUser, rank_required
+from app.utils import randomString, loginUser
from app.tasks.forumtasks import checkForumAccount
from app.tasks.phpbbparser import getProfile
+import re
+
+def check_username(username):
+ return username is not None and len(username) >= 2 and re.match("^[A-Za-z0-9._-]*$", username)
@bp.route("/user/claim/", methods=["GET", "POST"])
def claim():
@@ -31,6 +34,10 @@ def claim():
else:
method = request.args.get("method")
+ if not check_username(username):
+ flash("Invalid username - must only contain A-Za-z0-9._. Consider contacting an admin", "danger")
+ return redirect(url_for("users.claim"))
+
user = User.query.filter_by(forums_username=username).first()
if user and user.rank.atLeast(UserRank.NEW_MEMBER):
flash("User has already been claimed", "danger")
@@ -45,7 +52,6 @@ def claim():
flash("Unable to find user", "danger")
return redirect(url_for("users.claim"))
-
token = None
if "forum_token" in session:
token = session["forum_token"]
@@ -57,8 +63,8 @@ def claim():
ctype = request.form.get("claim_type")
username = request.form.get("username")
- if username is None or len(username.strip()) < 2:
- flash("Invalid username", "danger")
+ if not check_username(username):
+ flash("Invalid username - must only contain A-Za-z0-9._. Consider contacting an admin", "danger")
elif ctype == "github":
task = checkForumAccount.delay(username)
return redirect(url_for("tasks.check", id=task.id, r=url_for("users.claim", username=username, method="github")))
@@ -88,6 +94,8 @@ def claim():
# Look for key
if sig and token in sig:
+ # Try getting again to fix crash
+ user = User.query.filter_by(forums_username=username).first()
if user is None:
user = User(username)
user.forums_username = username
@@ -106,4 +114,4 @@ def claim():
else:
flash("Unknown claim type", "danger")
- return render_template("users/claim.html", username=username, key=token)
+ return render_template("users/claim.html", username=username, key="cdb_" + token)
diff --git a/app/templates/users/claim.html b/app/templates/users/claim.html
index ab66349..75b6cdc 100644
--- a/app/templates/users/claim.html
+++ b/app/templates/users/claim.html
@@ -52,7 +52,8 @@ Creating an Account
Enter your forum username here:
-
+
You'll need to have the GitHub field in your forum profile
@@ -81,7 +82,8 @@ Creating an Account
Enter your forum username here:
-
+
Go to
@@ -109,24 +111,24 @@ Creating an Account
-
-
+
+
-
-
- Only do this if you don't have a forum account!
-
-
- If you have a forum account, please use one of the other two
- options.
-
+
+
+ Only do this if you don't have a forum account!
+
+
+ If you have a forum account, please use one of the other two
+ options.
+
-
Register
-
-
+
Register
+
+
{% endif %}