From f798bb5d7defaa03fe63d00d193ae04312ef057d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lera=20Elvo=C3=A9?= <yagich@poto.cafe>
Date: Sun, 19 Apr 2026 07:17:07 +0300
Subject: [PATCH] add forbidden usernames

---
 app/auth.py           | 16 +++++++++++++++-
 app/routes/threads.py |  2 +-
 app/routes/users.py   |  9 ++++++---
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/app/auth.py b/app/auth.py
index fb68f7a..4e52dc5 100644
--- a/app/auth.py
+++ b/app/auth.py
@@ -8,6 +8,17 @@ import re
 
 ph = PasswordHasher()
 
+FORBIDDEN_USERNAMES = (
+    'administrator', 'administration', 'administrators',
+    'system',
+    'mod', 'moderator', 'moderators', 'moderation',
+    'deleted-user', 'deleted_user',
+    'support',
+    #routes
+    'log-in', 'log_in', 'login',
+    'sign-up', 'sign_up', 'signup',
+)
+
 def digest(password):
     return ph.hash(password)
 
@@ -50,8 +61,11 @@ def parse_username(username: str) -> Tuple[str, str]:
     if len(username) < 3:
         raise ValueError
 
+    if username.lower() in FORBIDDEN_USERNAMES:
+        raise ValueError
+
     invalid_regex = r'[^a-zA-Z0-9_-]'
-    return username, re.sub(invalid_regex, '_', username.lower())[:24]
+    return re.sub(invalid_regex, '_', username.lower())[:24], username
 
 def is_password_valid(password: str) -> bool:
     return re.match(r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,255}$', password) is not None
diff --git a/app/routes/threads.py b/app/routes/threads.py
index b2c23f3..7db0c3d 100644
--- a/app/routes/threads.py
+++ b/app/routes/threads.py
@@ -51,7 +51,7 @@ def reply(slug):
 def feed(slug):
     return 'stub'
 
-@bp.get('/new')
+@bp.get('/new/')
 @login_required
 def new():
     topics = Topics.select()
diff --git a/app/routes/users.py b/app/routes/users.py
index 61edaf7..e79ca5b 100644
--- a/app/routes/users.py
+++ b/app/routes/users.py
@@ -50,7 +50,7 @@ def sign_up():
 @redirect_if_logged_in()
 def sign_up_post():
     generic_error_page = redirect(url_for('.sign_up', error='The username or password you entered is invalid.'))
-    user_exists_error_page = redirect(url_for('.sign_up', error='This username is already taken. Please pick another.'))
+    invalid_username_error_page = redirect(url_for('.sign_up', error='This username cannot be used. Please pick another.'))
     passwords_error_page = redirect(url_for('.sign_up', error='The passwords do not match.'))
     username = request.form.get('username', default='')
     if not username:
@@ -59,10 +59,13 @@ def sign_up_post():
         return generic_error_page
     if len(request.form.getlist('password')) != 2:
         return passwords_error_page
-    username_pair = parse_username(username)
+    try:
+        username_pair = parse_username(username)
+    except ValueError:
+        return invalid_username_error_page
     potential_user = Users.find({'username': username})
     if potential_user:
-        return user_exists_error_page
+        return invalid_username_error_page
 
     if request.form.getlist('password')[0] != request.form.getlist('password')[1]:
         return passwords_error_page