From: <jfi...@us...> - 2003-02-11 07:36:05
|
Update of /cvsroot/mantisbt/mantisbt/core In directory sc8-pr-cvs1:/tmp/cvs-serv20240/core Modified Files: user_api.php Log Message: This is sort of a dump of what I've done so far. I realized I need to divert myself to the access_api briefly because the access control checks are getting really confusing. I'm going to go look at renaming some of those functions. * config_defaults_inc.php (g_manage_user_threshold): new config option to control access to user management functions (create/delete/modify) * constant_inc.php (ERROR_USER_NAME_INVALID): new error * manage_user_create.php * manage_user_create_page.php * manage_user_delete.php * manage_user_edit_page.php * manage_user_page.php * manage_user_proj_add.php * manage_user_proj_delete.php cleanup this files * core/user_api.php (user_is_name_valid): new function that checks a username for validity. We may need to expand this definition to include other character sets? (though the PCRE regexes say they take localization into account). We might also need to add a config option to make the checking less strict for systems that already have users with names that contain weird characters. (user_ensure_name_valid): error-triggering version of above (user_create): call user_ensure_name_valid() before creating the user (user_set_name): new function that checks the username for validity before setting it. If you subvert this function and use user_set_field() directly, you should check the username yourself. Index: user_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/user_api.php,v retrieving revision 1.48 retrieving revision 1.49 diff -u -d -r1.48 -r1.49 --- user_api.php 25 Jan 2003 18:21:11 -0000 1.48 +++ user_api.php 11 Feb 2003 07:36:01 -0000 1.49 @@ -139,6 +139,33 @@ } # -------------------- + # Check if the username is a valid username (does not account for uniqueness) + # Return true if it is, false otherwise + function user_is_name_valid( $p_username ) { + # The DB field is only 32 characters + if ( 32 > strlen( $p_username ) ) { + return false; + } + + # Only allow a basic set of characters + if ( 0 == preg_match( '/^\w+$/', $p_username ) ) { + return false; + } + + # We have a valid username + return true; + } + + # -------------------- + # Check if the username is a valid username (does not account for uniqueness) + # Trigger an error if the username is not valid + function user_ensure_name_valid( $p_username ) { + if ( ! user_is_name_valid( $p_username ) ) { + trigger_error( ERROR_USER_NAME_INVALID, ERROR ); + } + } + + # -------------------- # return whether user is monitoring bug for the user id and bug id function user_is_monitoring_bug( $p_user_id, $p_bug_id ) { $c_user_id = db_prepare_int( $p_user_id ); @@ -207,6 +234,7 @@ $c_protected = db_prepare_bool( $p_protected ); $c_enabled = db_prepare_bool( $p_enabled ); + user_ensure_name_valid( $p_username ); user_ensure_name_unique( $p_username ); email_ensure_valid( $p_email ); @@ -634,6 +662,15 @@ email_ensure_valid( $p_email ); return user_set_field( $p_user_id, 'email', $p_email ); + } + + # -------------------- + # Set the user's username to the given string after checking that it is valid + function user_set_name( $p_user_id, $p_username ) { + user_ensure_name_valid( $p_username ); + user_ensure_name_unique( $p_username ); + + return user_set_field( $p_user_id, 'username', $p_username ); } # -------------------- |