From 63f17cfc7a9746003de0caebbe9678a7ecda906b Mon Sep 17 00:00:00 2001 From: Tim Van Baak Date: Thu, 27 May 2021 18:01:37 -0700 Subject: [PATCH] Add more create_user checks --- amanuensis/backend/user.py | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/amanuensis/backend/user.py b/amanuensis/backend/user.py index a9e210b..66b0e98 100644 --- a/amanuensis/backend/user.py +++ b/amanuensis/backend/user.py @@ -11,6 +11,10 @@ from amanuensis.db import DbContext, User from amanuensis.errors import ArgumentError +RE_NO_LETTERS = re.compile(r'^[0-9-_]*$') +RE_ALPHANUM_DASH_UNDER = re.compile(r'^[A-Za-z0-9-_]*$') + + def create_user( db: DbContext, username: str, @@ -22,19 +26,30 @@ def create_user( Create a new user. """ # Verify username + if not isinstance(username, str): + raise ArgumentError('Username must be a string') if len(username) < 3 or len(username) > 32: raise ArgumentError('Username must be between 3 and 32 characters') - if re.match(r'^[0-9-_]*$', username): + if RE_NO_LETTERS.match(username): raise ArgumentError('Username must contain a letter') - if not re.match(r'^[A-Za-z0-9-_]*$', username): + if not RE_ALPHANUM_DASH_UNDER.match(username): raise ArgumentError('Username may only contain alphanumerics, dash, and underscore') + # Verify password - if not password: - raise ArgumentError('Password must be provided') + if not isinstance(password, str): + raise ArgumentError('Password must be a string') + + # Verify display name + if display_name is not None and not isinstance(display_name, str): + raise ArgumentError('Display name must be a string') # If display name is not provided, use the username if not display_name or not display_name.strip(): display_name = username + # Verify email + if not isinstance(email, str): + raise ArgumentError('Email must be a string') + # Query the db to make sure the username isn't taken if db.session.query(func.count(User.id)).filter(User.username == username).scalar() > 0: raise ArgumentError('Username is already taken')