Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for valid renamed usernames #2077

Merged
merged 5 commits into from
Jul 1, 2017
Merged

Check for valid renamed usernames #2077

merged 5 commits into from
Jul 1, 2017

Conversation

ethantkoenig
Copy link
Member

@ethantkoenig ethantkoenig commented Jun 28, 2017
edited
Loading

Fixes #2066 and #2061.

@lafriks
Copy link
Member

lafriks commented Jun 28, 2017

LGTM

@tboerger tboerger added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jun 28, 2017
@lafriks
Copy link
Member

lafriks commented Jun 28, 2017

May be add integration test?

@lunny lunny added this to the 1.2.0 milestone Jun 28, 2017
@lunny lunny added the type/bug label Jun 28, 2017
@lunny
Copy link
Member

lunny commented Jun 28, 2017

LGTM otherwise @lafriks 's comment.

@tboerger tboerger added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jun 28, 2017
@ethantkoenig
Copy link
Member Author

@lafriks @lunny Integration test added 😄

@lafriks
Copy link
Member

lafriks commented Jun 28, 2017

Awsome 👍

bkcsoft
bkcsoft suggested changes Jun 28, 2017
View reviewed changes
integrations/user_test.go Outdated
htmlDoc := NewHTMLParser(t, resp.Body)
req = NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
"_csrf": htmlDoc.GetCSRF(),
"name": "%2f*", // not valid
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add more tests here? The original issue lists a bunch of cases that we should guard against 🤔

tests := []string{ ... }
for test := range tests {
  t.Logf("testing %q", test)
  req = NewRequest...("POST" ...)
  [...]
  models.AssertNot...
}

( ☝️ Table-driven testing 🙂 https://blog.golang.org/subtests )

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be also nice to have valid user name change test

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added all invalid cases from #2066, and a reserved username test, and a valid username test.

bkcsoft
bkcsoft reviewed Jun 29, 2017
View reviewed changes
integrations/user_test.go
assert.Contains(t,
htmlDoc.doc.Find(".ui.negative.message").Text(),
i18n.Tr("en", "user.newName_reserved"),
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now you have 3 identical loops, have them be a common function like so testUpdateUser(t *testing.T, username, email string, code http.StatusCode) 🙂

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bkcsoft They're not identical. A lot of the setup code (e.g. getting the CSRF token) is shared, but once you make the POST /user/settings request, they have little in common (different status codes, may or may not have to follow a redirect, may or may not check for whether rename succeeded, have to check for different error messages).

The boilerplate setup code is also shared with tests from other files, so IMO the best solution is to add helper functions for things like getting a CSRF token.

@lafriks
Copy link
Member

lafriks commented Jun 29, 2017

Please also add test case for username with space so that #2061 can be also closed

@ethantkoenig
Copy link
Member Author

@lafriks Done

@lunny
Copy link
Member

lunny commented Jun 30, 2017

need @bkcsoft approval.

lafriks
lafriks reviewed Jun 30, 2017
View reviewed changes
modules/auth/user_form.go Outdated
@@ -100,7 +100,7 @@ func (f *SignInForm) Validate(ctx *macaron.Context, errs binding.Errors) binding

// UpdateProfileForm form for updating profile
type UpdateProfileForm struct {
Name string `binding:"OmitEmpty;MaxSize(35)"`
Name string `binding:"OmitEmpty;AlphaDashDot;MaxSize(35)"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is also needs to be Required

@lafriks
Copy link
Member

lafriks commented Jun 30, 2017
edited
Loading

Related gogs/gogs@e6dbfd9
https://www.sourceclear.com/registry/security/cross-site-scripting-xss-/go/sid-4456

@lafriks
Copy link
Member

lafriks commented Jul 1, 2017

@bkcsoft need your approval

@lafriks lafriks merged commit fea902a into go-gitea:master Jul 1, 2017
@ethantkoenig ethantkoenig deleted the fix/username branch July 3, 2017 23:10
@go-gitea go-gitea locked and limited conversation to collaborators Nov 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lafriks lafriks lafriks left review comments

@bkcsoft bkcsoft bkcsoft approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.2.0
Development

Successfully merging this pull request may close these issues.

Bad, and possibly unsafe usernames
5 participants
@ethantkoenig @lafriks @lunny @bkcsoft @tboerger