From 50bbd4a6a7294546c0fe3c455f4c728e5d0701d0 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Fri, 30 Sep 2011 18:26:21 -0400 Subject: Move username validation from the Users controller to the Auth model. --- src/controllers/Users.class.php | 12 ++++-------- src/models/Auth.class.php | 13 +++++++++++++ 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/src/controllers/Users.class.php b/src/controllers/Users.class.php index c30461f..1d947e1 100644 --- a/src/controllers/Users.class.php +++ b/src/controllers/Users.class.php @@ -8,8 +8,6 @@ Router::register('users' , 'Users', 'index_dir'); Router::register('users/*' , 'Users', 'individual'); class Users extends Controller { - public static $illegal_names = array('', 'new', 'index'); - // Index Views /////////////////////////////////////////////// public function index($routed, $remainder) { @@ -143,7 +141,7 @@ class Users extends Controller { $vars['errors'] = array(); if ($db->getUID($vars['username'])!==false) $vars['errors'][] = 'user exists'; - if (in_array($vars['username'], self::$illegal_names)) + if (!Auth::isNameLegal($vars['username'])) $vars['errors'][] = 'illegal name'; $matches = ($vars['password1'] == $vars['password2']); if (!$matches) { @@ -187,11 +185,9 @@ class Users extends Controller { if (isset($_POST['auth_name'])) { $new_name = $_POST['auth_name']; if ($new_name != $username) { - if (!in_array($new_name, $this->illegal_names)) { - $changed_name = $user->setName($new_name); - $username = $user->getName(); - $vars['changed name'] = $changed_name; - } + $changed_name = $user->setName($new_name); + $username = $user->getName(); + $vars['changed name'] = $changed_name; } } diff --git a/src/models/Auth.class.php b/src/models/Auth.class.php index 975c25f..25570bf 100644 --- a/src/models/Auth.class.php +++ b/src/models/Auth.class.php @@ -21,6 +21,18 @@ class Auth { } return self::$users[$uid]; } + + public static function isNameLegal($name) { + // Current rules: + // * Not in "$illegal_names" + // * Does not contain '.' + // * Less <256 characters + $illegal_names = array('', 'new', 'index'); + return true + && (!in_array($name, $illegal_names)) + && (strpos($name,'.')===false) + && (strlen($name)<=256); + } protected $db = null; protected $uid = false; @@ -106,6 +118,7 @@ class Auth { } public function setName($new_name) { if (!$this->canEdit()) return false; + if (!self::isNameLegal($new_name)) return false; return $this->db->setUsername($this->uid, $new_name); } -- cgit v1.2.3-2-g168b