I'm using v1.4.8 with authtype db and sessiontype cookie. It seems to be allowed to log in with username followed by a blank space as well. When trying do modify the user's bookings this leads to "permission denied" because "username " is not equal "username".
My workaraund was to trim $creator and $user before it is compared in getWritable - seems to work. I think it would be better to deny logins followed by a blank space in future releases.
function getWritable($creator, $user, $room)
// Always allowed to modify your own stuff
if(strcasecmp(trim($creator), trim($user)) == 0)
// Otherwise you have to be a (booking) admin for this room
if (auth_book_admin(trim($user), $room))
// Unathorised access