yagich/pyrom
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

add forbidden usernames

Browse Source
This commit is contained in:
Lera Elvoé
2026-04-19 07:17:07 +03:00
parent 68958e304b
commit f798bb5d7d
3 changed files with 22 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
app/auth.py
View File

@@ -8,6 +8,17 @@ import re
ph = PasswordHasher() ph = PasswordHasher()
FORBIDDEN_USERNAMES = (
'administrator', 'administration', 'administrators',
'system',
'mod', 'moderator', 'moderators', 'moderation',
'deleted-user', 'deleted_user',
'support',
#routes
'log-in', 'log_in', 'login',
'sign-up', 'sign_up', 'signup',
)
def digest(password): def digest(password):
return ph.hash(password) return ph.hash(password)
@@ -50,8 +61,11 @@ def parse_username(username: str) -> Tuple[str, str]:
if len(username) < 3: if len(username) < 3:
raise ValueError raise ValueError
if username.lower() in FORBIDDEN_USERNAMES:
raise ValueError
invalid_regex = r'[^a-zA-Z0-9_-]' invalid_regex = r'[^a-zA-Z0-9_-]'
return username, re.sub(invalid_regex, '_', username.lower())[:24] return re.sub(invalid_regex, '_', username.lower())[:24], username
def is_password_valid(password: str) -> bool: def is_password_valid(password: str) -> bool:
return re.match(r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,255}$', password) is not None return re.match(r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,255}$', password) is not None

2
app/routes/threads.py
View File

@@ -51,7 +51,7 @@ def reply(slug):
def feed(slug): def feed(slug):
return 'stub' return 'stub'
@bp.get('/new') @bp.get('/new/')
@login_required @login_required
def new(): def new():
topics = Topics.select() topics = Topics.select()

9
app/routes/users.py
View File

@@ -50,7 +50,7 @@ def sign_up():
@redirect_if_logged_in() @redirect_if_logged_in()
def sign_up_post(): def sign_up_post():
generic_error_page = redirect(url_for('.sign_up', error='The username or password you entered is invalid.')) generic_error_page = redirect(url_for('.sign_up', error='The username or password you entered is invalid.'))
user_exists_error_page = redirect(url_for('.sign_up', error='This username is already taken. Please pick another.')) invalid_username_error_page = redirect(url_for('.sign_up', error='This username cannot be used. Please pick another.'))
passwords_error_page = redirect(url_for('.sign_up', error='The passwords do not match.')) passwords_error_page = redirect(url_for('.sign_up', error='The passwords do not match.'))
username = request.form.get('username', default='') username = request.form.get('username', default='')
if not username: if not username:
@@ -59,10 +59,13 @@ def sign_up_post():
return generic_error_page return generic_error_page
if len(request.form.getlist('password')) != 2: if len(request.form.getlist('password')) != 2:
return passwords_error_page return passwords_error_page
username_pair = parse_username(username) try:
username_pair = parse_username(username)
except ValueError:
return invalid_username_error_page
potential_user = Users.find({'username': username}) potential_user = Users.find({'username': username})
if potential_user: if potential_user:
return user_exists_error_page return invalid_username_error_page
if request.form.getlist('password')[0] != request.form.getlist('password')[1]: if request.form.getlist('password')[0] != request.form.getlist('password')[1]:
return passwords_error_page return passwords_error_page