From 50bbd4a6a7294546c0fe3c455f4c728e5d0701d0 Mon Sep 17 00:00:00 2001
From: Luke Shumaker <LukeShu@sbcglobal.net>
Date: Fri, 30 Sep 2011 18:26:21 -0400
Subject: Move username validation from the Users controller to the Auth model.

---
 src/controllers/Users.class.php | 12 ++++--------
 src/models/Auth.class.php       | 13 +++++++++++++
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/src/controllers/Users.class.php b/src/controllers/Users.class.php
index c30461f..1d947e1 100644
--- a/src/controllers/Users.class.php
+++ b/src/controllers/Users.class.php
@@ -8,8 +8,6 @@ Router::register('users'      , 'Users', 'index_dir');
 Router::register('users/*'    , 'Users', 'individual');
 
 class Users extends Controller {
-	public static $illegal_names = array('', 'new', 'index');
-	
 	// Index Views ///////////////////////////////////////////////
 	
 	public function index($routed, $remainder) {
@@ -143,7 +141,7 @@ class Users extends Controller {
 		$vars['errors'] = array();
 		if ($db->getUID($vars['username'])!==false)
 			$vars['errors'][] = 'user exists';
-		if (in_array($vars['username'], self::$illegal_names))
+		if (!Auth::isNameLegal($vars['username']))
 			$vars['errors'][] = 'illegal name';
 		$matches = ($vars['password1'] == $vars['password2']);
 		if (!$matches) {
@@ -187,11 +185,9 @@ class Users extends Controller {
 		if (isset($_POST['auth_name'])) {
 			$new_name = $_POST['auth_name'];
 			if ($new_name != $username) {
-				if (!in_array($new_name, $this->illegal_names)) {
-					$changed_name = $user->setName($new_name);
-					$username = $user->getName();
-					$vars['changed name'] = $changed_name;
-				}
+				$changed_name = $user->setName($new_name);
+				$username = $user->getName();
+				$vars['changed name'] = $changed_name;
 			}
 		}
 		
diff --git a/src/models/Auth.class.php b/src/models/Auth.class.php
index 975c25f..25570bf 100644
--- a/src/models/Auth.class.php
+++ b/src/models/Auth.class.php
@@ -21,6 +21,18 @@ class Auth {
 		}
 		return self::$users[$uid];
 	}
+
+	public static function isNameLegal($name) {
+		// Current rules:
+		// * Not in "$illegal_names"
+		// * Does not contain '.'
+		// * Less <256 characters
+		$illegal_names = array('', 'new', 'index');
+		return true
+			&& (!in_array($name, $illegal_names))
+			&& (strpos($name,'.')===false)
+			&& (strlen($name)<=256);
+	}
 	
 	protected $db = null;
 	protected $uid = false;
@@ -106,6 +118,7 @@ class Auth {
 	}
 	public function setName($new_name) {
 		if (!$this->canEdit()) return false;
+		if (!self::isNameLegal($new_name)) return false;
 		return $this->db->setUsername($this->uid, $new_name);
 	}
 	
-- 
cgit v1.2.3