[Mantisbt-cvs] mantisbt/core user_api.php,1.48,1.49

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/mantisbt/mantisbt/core
In directory sc8-pr-cvs1:/tmp/cvs-serv20240/core

Modified Files:
	user_api.php 
Log Message:
This is sort of a dump of what I've done so far.  I realized I need to divert myself to the access_api briefly because the access control checks are getting really confusing.  I'm going to go look at renaming some of those functions.


* config_defaults_inc.php
  (g_manage_user_threshold): new config option to control access to user
    management functions (create/delete/modify)

* constant_inc.php
  (ERROR_USER_NAME_INVALID): new error

* manage_user_create.php
* manage_user_create_page.php
* manage_user_delete.php
* manage_user_edit_page.php
* manage_user_page.php
* manage_user_proj_add.php
* manage_user_proj_delete.php
   cleanup this files

* core/user_api.php
  (user_is_name_valid): 
    new function that checks a username for validity. We
    may need to expand this definition to include other character sets? (though
    the PCRE regexes say they take localization into account).  We might also
    need to add a config option to make the checking less strict for systems
    that already have users with names that contain weird characters.

  (user_ensure_name_valid):
    error-triggering version of above

  (user_create):
    call user_ensure_name_valid() before creating the user

  (user_set_name):
    new function that checks the username for validity before setting it.  If
    you subvert this function and use user_set_field() directly, you should
    check the username yourself.


Index: user_api.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/core/user_api.php,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -d -r1.48 -r1.49

--- user_api.php	25 Jan 2003 18:21:11 -0000	1.48
+++ user_api.php	11 Feb 2003 07:36:01 -0000	1.49
@@ -139,6 +139,33 @@
 	}
 
 	# --------------------
+	# Check if the username is a valid username (does not account for uniqueness)
+	# Return true if it is, false otherwise
+	function user_is_name_valid( $p_username ) {
+		# The DB field is only 32 characters
+		if ( 32 > strlen( $p_username ) ) {
+			return false;	
+		}
+
+		# Only allow a basic set of characters
+		if ( 0 == preg_match( '/^\w+$/', $p_username ) ) {
+			return false;
+		}
+
+		# We have a valid username
+		return true;
+	}
+
+	# --------------------
+	# Check if the username is a valid username (does not account for uniqueness)
+	# Trigger an error if the username is not valid
+	function user_ensure_name_valid( $p_username ) {
+		if ( ! user_is_name_valid( $p_username ) ) {
+			trigger_error( ERROR_USER_NAME_INVALID, ERROR );
+		}
+	}
+
+	# --------------------
 	# return whether user is monitoring bug for the user id and bug id
 	function user_is_monitoring_bug( $p_user_id, $p_bug_id ) {
 		$c_user_id	= db_prepare_int( $p_user_id );
@@ -207,6 +234,7 @@
 		$c_protected	= db_prepare_bool( $p_protected );
 		$c_enabled		= db_prepare_bool( $p_enabled );
 
+		user_ensure_name_valid( $p_username );
 		user_ensure_name_unique( $p_username );
 		email_ensure_valid( $p_email );
 
@@ -634,6 +662,15 @@
 		email_ensure_valid( $p_email );
 
 		return user_set_field( $p_user_id, 'email', $p_email );
+	}
+
+	# --------------------
+	# Set the user's username to the given string after checking that it is valid
+	function user_set_name( $p_user_id, $p_username ) {
+		user_ensure_name_valid( $p_username );
+		user_ensure_name_unique( $p_username );
+
+		return user_set_field( $p_user_id, 'username', $p_username );
 	}
 
 	# --------------------




