diff options
| author | Malf Furious <m@lfurio.us> | 2019-01-12 19:10:01 -0500 |
|---|---|---|
| committer | Malf Furious <m@lfurio.us> | 2019-01-12 19:10:01 -0500 |
| commit | 2263cf0953872c09fe1a1158ebb841f74fb9e3ea (patch) | |
| tree | 2655fccd0eeff3670ac41d52abdb178dc6c8046a /app | |
| parent | 032607b6ca13b7c0a7088a6b52c5fd4492df4bde (diff) | |
| download | scrott-2263cf0953872c09fe1a1158ebb841f74fb9e3ea.tar.gz scrott-2263cf0953872c09fe1a1158ebb841f74fb9e3ea.zip | |
Define stricter username policy
Previously, you could log into an account named "MyAccount" by entering
either "myaccount" or "MYACCOUNT" (or any other case conbination). This
patch requires logins to succeed with case-sensitive usernames.
I have also decided, that I wish to disallow duplicate usernames if the
only difference between them is case. There can only be _ONE_
"myaccount" (of any case combination), even if he's known canonically as
"MyAccount". This particular functionality is not changed by this
patch. I'm just noting it as a deliberate decision not to change, by
policy.
Note that _passwords_ always have been, and still are, case-sensitive.
They are salted and hashed before they even hit the database.
Signed-off-by: Malf Furious <m@lfurio.us>
Diffstat (limited to 'app')
| -rw-r--r-- | app/class/user.class.php | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/app/class/user.class.php b/app/class/user.class.php index 231111d..7d67257 100644 --- a/app/class/user.class.php +++ b/app/class/user.class.php @@ -46,11 +46,12 @@ class user extends agent * the username is not in use. Therefore, this function can be * used to test the existence of a user with the given username. */ - public static function getGuidByUname(string $uname) : ?string + public static function getGuidByUname(string $uname, bool $caseInsens = false) : ?string { $uname = database::esc($uname); - $query = "SELECT guid FROM objects WHERE objtype = 'user' AND name = '" . $uname . "'"; + $query = "SELECT guid FROM objects WHERE objtype = 'user' AND " . + ($caseInsens ? "" : "BINARY ") . "name = '" . $uname . "'"; $res = database::query($query); if (count($res) == 0) @@ -64,9 +65,9 @@ class user extends agent * is not in use. This function can be used to test the existence * of a user with the given username. */ - public static function getByUname(string $uname) : ?user + public static function getByUname(string $uname, bool $caseInsens = false) : ?user { - if (($guid = self::getGuidByUname($uname))) + if (($guid = self::getGuidByUname($uname, $caseInsens))) return new user($guid); return NULL; @@ -190,7 +191,9 @@ class user extends agent */ public static function initNew(string $uname, string $passwd) : ?user { - if (self::getByUname($uname)) + /* search is case-insensitive, to make sure no duplicates exist + * which differ _only_ by case */ + if (self::getByUname($uname, true)) return NULL; $user = new user(); |