From 2263cf0953872c09fe1a1158ebb841f74fb9e3ea Mon Sep 17 00:00:00 2001 From: Malf Furious Date: Sat, 12 Jan 2019 19:10:01 -0500 Subject: Define stricter username policy Previously, you could log into an account named "MyAccount" by entering either "myaccount" or "MYACCOUNT" (or any other case conbination). This patch requires logins to succeed with case-sensitive usernames. I have also decided, that I wish to disallow duplicate usernames if the only difference between them is case. There can only be _ONE_ "myaccount" (of any case combination), even if he's known canonically as "MyAccount". This particular functionality is not changed by this patch. I'm just noting it as a deliberate decision not to change, by policy. Note that _passwords_ always have been, and still are, case-sensitive. They are salted and hashed before they even hit the database. Signed-off-by: Malf Furious --- app/class/user.class.php | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/app/class/user.class.php b/app/class/user.class.php index 231111d..7d67257 100644 --- a/app/class/user.class.php +++ b/app/class/user.class.php @@ -46,11 +46,12 @@ class user extends agent * the username is not in use. Therefore, this function can be * used to test the existence of a user with the given username. */ - public static function getGuidByUname(string $uname) : ?string + public static function getGuidByUname(string $uname, bool $caseInsens = false) : ?string { $uname = database::esc($uname); - $query = "SELECT guid FROM objects WHERE objtype = 'user' AND name = '" . $uname . "'"; + $query = "SELECT guid FROM objects WHERE objtype = 'user' AND " . + ($caseInsens ? "" : "BINARY ") . "name = '" . $uname . "'"; $res = database::query($query); if (count($res) == 0) @@ -64,9 +65,9 @@ class user extends agent * is not in use. This function can be used to test the existence * of a user with the given username. */ - public static function getByUname(string $uname) : ?user + public static function getByUname(string $uname, bool $caseInsens = false) : ?user { - if (($guid = self::getGuidByUname($uname))) + if (($guid = self::getGuidByUname($uname, $caseInsens))) return new user($guid); return NULL; @@ -190,7 +191,9 @@ class user extends agent */ public static function initNew(string $uname, string $passwd) : ?user { - if (self::getByUname($uname)) + /* search is case-insensitive, to make sure no duplicates exist + * which differ _only_ by case */ + if (self::getByUname($uname, true)) return NULL; $user = new user(); -- cgit v1.2.3