Add validation to prevent update of a user or member to an invalid username (13) (#18261)

* Add validation to prevent update of a user or member to an invalid username.

* Avoid password manager updates of user name field on user details screen.

Author: AndyButland

src/Umbraco.Web.BackOffice/Controllers/MemberController.cs

@@ -723,6 +723,17 @@ private async Task<bool> ValidateMemberDataAsync(MemberSave contentItem)
             return false;
         }
 
+        // User names can only contain the configured allowed characters. This is validated by ASP.NET Identity on create
+        // as the setting is applied to the IdentityOptions, but we need to check ourselves for updates.
+        var allowedUserNameCharacters = _securitySettings.AllowedUserNameCharacters;
+        if (contentItem.Username.Any(c => allowedUserNameCharacters.Contains(c) == false))
+        {
+            ModelState.AddPropertyError(
+                new ValidationResult("Username contains invalid characters"),
+                $"{Constants.PropertyEditors.InternalGenericPropertiesPrefix}login");
+            return false;
+        }
+
         if (contentItem.Password != null && !contentItem.Password.NewPassword.IsNullOrWhiteSpace())
         {
             IdentityResult validPassword = await _memberManager.ValidatePasswordAsync(contentItem.Password.NewPassword);

src/Umbraco.Web.BackOffice/Controllers/UsersController.cs

@@ -714,6 +714,15 @@ private async Task SendUserInviteEmailAsync(UserBasic? userDisplay, string? from
 
         var hasErrors = false;
 
+        // User names can only contain the configured allowed characters. This is validated by ASP.NET Identity on create
+        // as the setting is applied to the BackOfficeIdentityOptions, but we need to check ourselves for updates.
+        var allowedUserNameCharacters = _securitySettings.AllowedUserNameCharacters;
+        if (userSave.Username.Any(c => allowedUserNameCharacters.Contains(c) == false))
+        {
+            ModelState.AddModelError("Username", "Username contains invalid characters");
+            hasErrors = true;
+        }
+
         // we need to check if there's any Deny Local login providers present, if so we need to ensure that the user's email address cannot be changed
         var hasDenyLocalLogin = _externalLogins.HasDenyLocalLogin();
         if (hasDenyLocalLogin)

src/Umbraco.Web.UI.Client/src/views/users/views/user/details.html

@@ -1,4 +1,4 @@
-<div ng-controller="Umbraco.Editors.Users.DetailsController as vm" class="umb-user-details-details">
+<div ng-controller="Umbraco.Editors.Users.DetailsController as vm" class="umb-user-details-details">
 
     <div class="umb-user-details-details__main-content">
 
@@ -45,6 +45,8 @@
                                ng-model="model.user.username"
                                umb-auto-focus name="username"
                                required
+                               autocomplete="off"
+                               no-password-manager
                                val-server-field="Username" />
                         <span ng-messages="userProfileForm.username.$error" show-validation-on-submit>
                             <span class="help-inline" ng-message="required"><localize key="general_required">Required</localize></span>