FIX: min/max username length limits weren't validated (#17382)

* FIX: min/max username length limits weren't validated The custom validators introduced in e0d7cda made so we ignored the mix and max values set on site_settings.yml. That change allowed admins to set values outside of the range defined on the yaml file. Related to https://meta.discourse.org/t/group-names-with-more-than-60-characters-broken/232115?u=falco Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2025-05-22 22:43:33 +08:00 · 2022-07-08 12:00:47 -03:00
parent 4c1b8e736d
commit 75e40baa64
6 changed files with 61 additions and 8 deletions
--- a/lib/validators/max_username_length_validator.rb
+++ b/lib/validators/max_username_length_validator.rb
@ -1,18 +1,26 @@
 # frozen_string_literal: true

 class MaxUsernameLengthValidator
+  MAX_USERNAME_LENGTH_RANGE = 8..60
+
  def initialize(opts = {})
    @opts = opts
  end

  def valid_value?(value)
+    if !MAX_USERNAME_LENGTH_RANGE.cover?(value)
+      @max_range_violation = true
+      return false
+    end
    return false if value < SiteSetting.min_username_length
    @username = User.where('length(username) > ?', value).pluck_first(:username)
    @username.blank?
  end

  def error_message
-    if @username.blank?
+    if @max_range_violation
+      I18n.t('site_settings.errors.invalid_integer_min_max', min: MAX_USERNAME_LENGTH_RANGE.begin, max: MAX_USERNAME_LENGTH_RANGE.end)
+    elsif @username.blank?
      I18n.t("site_settings.errors.max_username_length_range")
    else
      I18n.t("site_settings.errors.max_username_length_exists", username: @username)
--- a/lib/validators/min_username_length_validator.rb
+++ b/lib/validators/min_username_length_validator.rb
@ -1,18 +1,26 @@
 # frozen_string_literal: true

 class MinUsernameLengthValidator
+  MIN_USERNAME_LENGTH_RANGE = 1..60
+
  def initialize(opts = {})
    @opts = opts
  end

  def valid_value?(value)
+    if !MIN_USERNAME_LENGTH_RANGE.cover?(value)
+      @min_range_violation = true
+      return false
+    end
    return false if value > SiteSetting.max_username_length
    @username = User.where('length(username) < ?', value).pluck_first(:username)
    @username.blank?
  end

  def error_message
-    if @username.blank?
+    if @min_length_violation
+      I18n.t('site_settings.errors.invalid_integer_min_max', min: MIN_USERNAME_LENGTH_RANGE.begin, max: MIN_USERNAME_LENGTH_RANGE.end)
+    elsif @username.blank?
      I18n.t("site_settings.errors.min_username_length_range")
    else
      I18n.t("site_settings.errors.min_username_length_exists", username: @username)