When registering need to validate login name.

I suggest preventing at least ',' but probably also space.

See: http://psf.upfronthosting.co.za/roundup/meta/issue583

Also need to limit for any username change (e.g. editing via the user
admin page).

Should this be an auditor or should it go in core?

-- rouilj

Login name of <b>demo</b> is allowed. Probably should restrict
login name to match [A-z0-9_.-]+ (C locale).

Although we do html encode things, probably better to sanitize
the login name at least.

On Wed, Jul 20, 2016 at 01:11:38AM +0000, John Rouillard wrote:
> 
> John Rouillard added the comment:
> 
> Login name of <b>demo</b> is allowed. Probably should restrict
> login name to match [A-z0-9_.-]+ (C locale).
> 
> Although we do html encode things, probably better to sanitize
> the login name at least.

Good idea to limit the chars we allow in usernames.
Please allow "@", I have a tracker where we use the email address as
username (and authenticate against an IMAP server) for a simple helpdesk
application.

Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com

Trawling the roundup code, the user class is just like any other class.
There is no special status/handling/choke points for the user class.

To do this I think I have to create an auditor on the user class to
validate the username. 

My plan was to allow the user to specify a regexp to validate the
attribute against (setting in tracker/config.ini).

(By default the regexp would allow all possible characters in an email
address so: rouilj-1+mya_ddr@users.example.com should be possible.
(I am also considering allowing % ! and $ in case there are uucp,
csnet or bitnet addresses out there 8-)).

However this is such a fundamental check, I wonder if I need to
implement it as a permanent auditor that is coded into hyperdb.py
or roundupdb.py somehow. I don't see any support for this type of
permanent auditor in existing code.

Also this idea kind of flies in the face of the requirement for the
trackers to define business logic. So you can cause roundup to
act weird is we get invalid chars into usernames

Anybody got a suggestion here?

I created an auditor in my tracker. Recording the details here in case
they are useful before we get the core fixed:

in existing userauditor.py added:

valid_username = re.compile('^[a-z0-9_@!%.-]+$', re.IGNORECASE)

at the top of the file.

Added to audit_user_fields:

    if 'username' in newvalues:
        if not valid_username.match(newvalues['username']):
            raise ValueError, "Username/Login Name must consist only of
the letters a-z (any case), digits 0-9 and the symbols: @._-!%"invalid
"%s"'%address


This should allow email addresses as usernames.

Updated userauditor.py in all templates with a changed regexp
from note below:

  valid_username = re.compile('^[a-z0-9_@!%.+-]+$', re.IGNORECASE)

Now includes +. 

Updated upgrading.txt, added tests.