Browse Source

Only trim username whitespace if context specifies

I didn't like that the previous change made it possible to *always* have
leading/trailing whitespace around a username. For example, it made it
so that you could go to "/user/ Deimos" and still see my user page
because of the leading space being trimmed. This makes it so that you
have to manually set a flag in the UserSchema context to enable the
trimming, and then only does that on the login view.
merge-requests/55/head
Deimos 6 years ago
parent
commit
0c43b068fa
  1. 11
      tildes/tildes/schemas/user.py
  2. 6
      tildes/tildes/views/login.py

11
tildes/tildes/schemas/user.py

@ -93,12 +93,17 @@ class UserSchema(Schema):
raise ValidationError("That password exists in a data breach (see sidebar)") raise ValidationError("That password exists in a data breach (see sidebar)")
@pre_load @pre_load
def prepare_username(self, data: dict) -> dict:
"""Prepare the username value before it's validated."""
def username_trim_whitespace(self, data: dict) -> dict:
"""Trim leading/trailing whitespace around the username.
Requires username_trim_whitespace be True in the schema's context.
"""
if not self.context.get("username_trim_whitespace"):
return data
if "username" not in data: if "username" not in data:
return data return data
# strip any leading/trailing whitespace
data["username"] = data["username"].strip() data["username"] = data["username"].strip()
return data return data

6
tildes/tildes/views/login.py

@ -49,7 +49,11 @@ def finish_login(request: Request, user: User) -> None:
@view_config( @view_config(
route_name="login", request_method="POST", permission=NO_PERMISSION_REQUIRED route_name="login", request_method="POST", permission=NO_PERMISSION_REQUIRED
) )
@use_kwargs(UserSchema(only=("username", "password"), strict=True))
@use_kwargs(
UserSchema(
only=("username", "password"), context={"username_trim_whitespace": True}
)
)
@not_logged_in @not_logged_in
@rate_limit_view("login") @rate_limit_view("login")
def post_login(request: Request, username: str, password: str) -> HTTPFound: def post_login(request: Request, username: str, password: str) -> HTTPFound:

Loading…
Cancel
Save