From 0c43b068fa247716b5456c0f2b62aed8ab4a743c Mon Sep 17 00:00:00 2001 From: Deimos Date: Mon, 4 Feb 2019 17:23:16 -0700 Subject: [PATCH] Only trim username whitespace if context specifies I didn't like that the previous change made it possible to *always* have leading/trailing whitespace around a username. For example, it made it so that you could go to "/user/ Deimos" and still see my user page because of the leading space being trimmed. This makes it so that you have to manually set a flag in the UserSchema context to enable the trimming, and then only does that on the login view. --- tildes/tildes/schemas/user.py | 11 ++++++++--- tildes/tildes/views/login.py | 6 +++++- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/tildes/tildes/schemas/user.py b/tildes/tildes/schemas/user.py index 6747ebc..e6f99f5 100644 --- a/tildes/tildes/schemas/user.py +++ b/tildes/tildes/schemas/user.py @@ -93,12 +93,17 @@ class UserSchema(Schema): raise ValidationError("That password exists in a data breach (see sidebar)") @pre_load - def prepare_username(self, data: dict) -> dict: - """Prepare the username value before it's validated.""" + def username_trim_whitespace(self, data: dict) -> dict: + """Trim leading/trailing whitespace around the username. + + Requires username_trim_whitespace be True in the schema's context. + """ + if not self.context.get("username_trim_whitespace"): + return data + if "username" not in data: return data - # strip any leading/trailing whitespace data["username"] = data["username"].strip() return data diff --git a/tildes/tildes/views/login.py b/tildes/tildes/views/login.py index f6bfb2b..9b63992 100644 --- a/tildes/tildes/views/login.py +++ b/tildes/tildes/views/login.py @@ -49,7 +49,11 @@ def finish_login(request: Request, user: User) -> None: @view_config( route_name="login", request_method="POST", permission=NO_PERMISSION_REQUIRED ) -@use_kwargs(UserSchema(only=("username", "password"), strict=True)) +@use_kwargs( + UserSchema( + only=("username", "password"), context={"username_trim_whitespace": True} + ) +) @not_logged_in @rate_limit_view("login") def post_login(request: Request, username: str, password: str) -> HTTPFound: