Updated username validation rules

Author: felixoi

spongeauth/accounts/models.py

@@ -23,28 +23,22 @@ def validate_username(username):
         errs.append(ValidationError(
             _('Username must be at least 3 characters long.'),
             code='username_min_length'))
-    if re.search(r'[^\w.-]', username):
+    if re.search(r'[^\w-]', username):
         errs.append(ValidationError(
-            _('Username must only include numbers, letters, and underscores.'),
+            _('Username must only include numbers, letters, underscores and dashes.'),
             code='username_charset'))
     if re.search(r'\W', username[0]):
         errs.append(ValidationError(
-            _('Username must begin with a number, letter or underscore.'),
+            _('Username must begin with a letter, number or underscore.'),
             code='username_initial_charset'))
-    if re.search(r'[^A-Za-z0-9]', username[-1]):
+    if re.search(r'\W', username[-1]):
         errs.append(ValidationError(
-            _('Username must end with a letter or number.'),
+            _('Username must end with a letter, number or underscore.'),
             code='username_ending_charset'))
-    if re.search(r'[-_.]{2,}', username):
+    if re.search(r'[^A-Za-z0-9]{2,}', username):
         errs.append(ValidationError(
             _('Username must not contain two special characters in a row.'),
             code='username_double_special'))
-    if re.search(
-            r'\.(js|json|css|htm|html|xml|jpg|jpeg|png|gif|bmp|ico|tif|tiff|woff)$',
-            username):
-        errs.append(ValidationError(
-            _('Username must not end with a confusing file suffix.'),
-            code='username_file_suffix'))
     if errs:
         raise ValidationError(errs)
 

spongeauth/accounts/tests/test_admin.py

@@ -28,7 +28,7 @@ def make_post_data(self, user, **kwargs):
         return post_data
 
     def test_does_not_validate_username_if_it_is_unchanged(self):
-        user = factories.UserFactory.create(username='ewoutvs_')
+        user = factories.UserFactory.create(username='ewoutvs__')
         post_data = self.make_post_data(user)
         form = admin.AdminUserChangeForm(post_data, instance=user)
         form.save()
@@ -42,7 +42,7 @@ def test_does_validate_username_if_it_changes(self):
 
     def test_validates_username(self):
         user = factories.UserFactory.create()
-        post_data = self.make_post_data(user, username='ewoutvs_')
+        post_data = self.make_post_data(user, username='ewoutvs__')
         form = admin.AdminUserChangeForm(post_data, instance=user)
         with pytest.raises(ValueError):
             form.save()

spongeauth/accounts/tests/test_username_validation.py

@@ -9,15 +9,16 @@
 BAD_EXAMPLES = [
     ("lukegb", []),
     ("_lukegb", []),
+    ("_lukegb_", []),
     ("a", ['username_min_length']),
-    ("__", ['username_double_special', 'username_min_length', 'username_ending_charset']),
-    ("._", ['username_double_special', 'username_min_length', 'username_ending_charset', 'username_initial_charset']),
+    ("__", ['username_double_special', 'username_min_length']),
+    ("._", ['username_double_special', 'username_min_length', 'username_charset', 'username_initial_charset']),
     ("\N{SNOWMAN}", ['username_charset', 'username_min_length', 'username_ending_charset', 'username_initial_charset']),
-    (".png", ['username_file_suffix', 'username_initial_charset']),
-    ("lukegb.png", ['username_file_suffix']),
+    (".png", ['username_charset', 'username_initial_charset']),
+    ("lukegb.png", ['username_charset']),
     ("luke__gb", ['username_double_special']),
-    ("luke_.gb", ['username_double_special']),
-    ("lukegb_", ['username_ending_charset']),
+    ("luke_.gb", ['username_charset', 'username_double_special']),
+    ("lukegb-", ['username_ending_charset']),
     ("-lukegb", ['username_initial_charset']),
 ]
 

spongeauth/spongeauth/urls.py

@@ -34,7 +34,7 @@
     url(r'^admin/', admin.site.urls),
     url(r'^accounts/', include(accounts.urls, 'accounts')),
     url(r'^2fa/', include(twofa.urls, 'twofa')),
-    url(r'^avatar/(?P<username>[A-Za-z_0-9]+)/?$', avatar_for_user, name='avatar-for-user'),
+    url(r'^avatar/(?P<username>[^/]+)/?$', avatar_for_user, name='avatar-for-user'),
     url(r'^sso/', include(sso.urls, 'sso')),
     url(r'^$', index, name='index'),
     url(r'^api/', include(api.urls, 'api')),