summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEvan Prodromou <evan@controlezvous.ca>2008-06-22 14:04:37 -0400
committerEvan Prodromou <evan@controlezvous.ca>2008-06-22 14:04:37 -0400
commitd758c117843dec04b061263095baeea7697b05a4 (patch)
tree5a5ebdc416f86449948f223a769c108e86711022
parenta69dbe7cd541ca054fea6239efce098a7111416a (diff)
disallow nicknames on a blacklist
darcs-hash:20080622180437-34904-4b6313f6fd8845232031663c5c2df00dff725183.gz
-rw-r--r--actions/finishopenidlogin.php8
-rw-r--r--actions/profilesettings.php2
-rw-r--r--actions/register.php2
-rw-r--r--classes/User.php8
-rw-r--r--config.php.sample3
-rw-r--r--lib/common.php4
6 files changed, 26 insertions, 1 deletions
diff --git a/actions/finishopenidlogin.php b/actions/finishopenidlogin.php
index 27e5057ec..fe9894e52 100644
--- a/actions/finishopenidlogin.php
+++ b/actions/finishopenidlogin.php
@@ -167,6 +167,11 @@ class FinishopenidloginAction extends Action {
$this->show_form(_t('Nickname must have only letters and numbers and no spaces.'));
return;
}
+
+ if (!User::allowed_nickname($nickname)) {
+ $this->show_form(_t('Nickname not allowed.'));
+ return;
+ }
if (User::staticGet('nickname', $nickname)) {
$this->show_form(_t('Nickname already in use. Try another one.'));
@@ -338,6 +343,9 @@ class FinishopenidloginAction extends Action {
'format' => VALIDATE_NUM . VALIDATE_ALPHA_LOWER))) {
return false;
}
+ if (!User::allowed_nickname($str)) {
+ return false;
+ }
if (User::staticGet('nickname', $str)) {
return false;
}
diff --git a/actions/profilesettings.php b/actions/profilesettings.php
index 6764ad288..b6e24c729 100644
--- a/actions/profilesettings.php
+++ b/actions/profilesettings.php
@@ -88,6 +88,8 @@ class ProfilesettingsAction extends SettingsAction {
'format' => VALIDATE_NUM . VALIDATE_ALPHA_LOWER))) {
$this->show_form(_t('Nickname must have only letters and numbers and no spaces.'));
return;
+ } else if (!User::allowed_nickname($nickname)) {
+ $this->show_form(_t('Not a valid nickname.'));
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
!Validate::uri($homepage, array('allowed_schemes' => array('http', 'https')))) {
$this->show_form(_t('Homepage is not a valid URL.'));
diff --git a/actions/register.php b/actions/register.php
index 31c8fea70..16e80ef17 100644
--- a/actions/register.php
+++ b/actions/register.php
@@ -57,6 +57,8 @@ class RegisterAction extends Action {
$this->show_form(_t('Nickname must have only lowercase letters and numbers and no spaces.'));
} else if ($this->nickname_exists($nickname)) {
$this->show_form(_t('Nickname already exists.'));
+ } else if (!User::allowed_nickname($nickname)) {
+ $this->show_form(_t('Not a valid nickname.'));
} else if ($this->email_exists($email)) {
$this->show_form(_t('Email address already exists.'));
} else if ($password != $confirm) {
diff --git a/classes/User.php b/classes/User.php
index 0e7fd5447..e735457f9 100644
--- a/classes/User.php
+++ b/classes/User.php
@@ -83,4 +83,12 @@ class User extends DB_DataObject
' WHERE id = ' . $this->id;
return $this->query($qry);
}
+
+ function allowed_nickname($nickname) {
+ # XXX: should already be validated for size, content, etc.
+ static $blacklist = array('rss', 'xrds', 'doc', 'main',
+ 'settings', 'notice', 'user');
+ $merged = array_merge($blacklist, common_config('nickname', 'blacklist'));
+ return !in_array($nickname, $merged);
+ }
}
diff --git a/config.php.sample b/config.php.sample
index bfd1da8ce..8253bdeed 100644
--- a/config.php.sample
+++ b/config.php.sample
@@ -33,3 +33,6 @@ $config['db']['database'] = 'mysql://laconica:microblog@localhost/laconica';
#session_set_cookie_params(0, '/'. $config['site']['path'] .'/');
+#Standard fancy-url clashes prevented by not allowing nicknames on a blacklist
+#Add your own here. Note: empty array by default
+#$config['nickname']['blacklist'][] = 'scobleizer';
diff --git a/lib/common.php b/lib/common.php
index 83b56dcee..2853c56e3 100644
--- a/lib/common.php
+++ b/lib/common.php
@@ -54,7 +54,9 @@ $config =
'image' => 'http://i.creativecommons.org/l/by/3.0/88x31.png'),
'mail' =>
array('backend' => 'mail',
- 'params' => NULL)
+ 'params' => NULL),
+ 'nickname' =>
+ array('blacklist' => array())
);
$config['db'] = &PEAR::getStaticProperty('DB_DataObject','options');