Improve the maintainblity of the reserved username list (#32229)
Some checks are pending
release-nightly / nightly-binary (push) Waiting to run
release-nightly / nightly-docker-rootful (push) Waiting to run
release-nightly / nightly-docker-rootless (push) Waiting to run

This commit is contained in:
wxiaoguang 2024-10-10 17:04:42 +08:00 committed by GitHub
parent c2217670dd
commit 6029d78ab5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 45 additions and 72 deletions

View File

@ -565,41 +565,43 @@ var (
".",
"..",
".well-known",
"api",
"assets",
"attachments",
"avatar",
"avatars",
"captcha",
"commits",
"debug",
"error",
"explore",
"favicon.ico",
"ghost",
"issues",
"login",
"manifest.json",
"metrics",
"milestones",
"new",
"notifications",
"org",
"pulls",
"raw",
"repo",
"api", // gitea api
"metrics", // prometheus metrics api
"v2", // container registry api
"assets", // static asset files
"attachments", // issue attachments
"avatar", // avatar by email hash
"avatars", // user avatars by file name
"repo-avatars",
"robots.txt",
"search",
"serviceworker.js",
"ssh_info",
"captcha",
"login", // oauth2 login
"org", // org create/manage, or "/org/{org}", BUT if an org is named as "invite" then it goes wrong
"repo", // repo create/migrate, etc
"user", // user login/activate/settings, etc
"explore",
"issues",
"pulls",
"milestones",
"notifications",
"favicon.ico",
"manifest.json", // web app manifests
"robots.txt", // search engine robots
"sitemap.xml", // search engine sitemap
"ssh_info", // agit info
"swagger.v1.json",
"user",
"v2",
"gitea-actions",
"ghost", // reserved name for deleted users (id: -1)
"gitea-actions", // gitea builtin user (id: -2)
}
// DON'T ADD ANY NEW STUFF, WE SOLVE THIS WITH `/user/{obj}` PATHS!
// These names are reserved for user accounts: user's keys, user's rss feed, user's avatar, etc.
// DO NOT add any new stuff! The paths with these names are processed by `/{username}` handler (UsernameSubRoute) manually.
reservedUserPatterns = []string{"*.keys", "*.gpg", "*.rss", "*.atom", "*.png"}
)

View File

@ -114,12 +114,10 @@ func TestRenameUser(t *testing.T) {
})
t.Run("Non usable username", func(t *testing.T) {
usernames := []string{"--diff", "aa.png", ".well-known", "search", "aaa.atom"}
usernames := []string{"--diff", ".well-known", "gitea-actions", "aaa.atom", "aa.png"}
for _, username := range usernames {
t.Run(username, func(t *testing.T) {
assert.Error(t, user_model.IsUsableUsername(username))
assert.Error(t, RenameUser(db.DefaultContext, user, username))
})
assert.Error(t, user_model.IsUsableUsername(username), "non-usable username: %s", username)
assert.Error(t, RenameUser(db.DefaultContext, user, username), "non-usable username: %s", username)
}
})

View File

@ -5,6 +5,7 @@ package integration
import (
"net/http"
"strings"
"testing"
auth_model "code.gitea.io/gitea/models/auth"
@ -98,41 +99,12 @@ func TestRenameReservedUsername(t *testing.T) {
reservedUsernames := []string{
// ".", "..", ".well-known", // The names are not only reserved but also invalid
"api",
"assets",
"attachments",
"avatar",
"avatars",
"captcha",
"commits",
"debug",
"error",
"explore",
"favicon.ico",
"ghost",
"issues",
"login",
"manifest.json",
"metrics",
"milestones",
"new",
"notifications",
"org",
"pulls",
"raw",
"repo",
"repo-avatars",
"robots.txt",
"search",
"serviceworker.js",
"ssh_info",
"swagger.v1.json",
"user",
"v2",
"name.keys",
}
session := loginUser(t, "user2")
locale := translation.NewLocale("en-US")
for _, reservedUsername := range reservedUsernames {
t.Logf("Testing username %s", reservedUsername)
req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
"_csrf": GetUserCSRFToken(t, session),
"name": reservedUsername,
@ -144,11 +116,12 @@ func TestRenameReservedUsername(t *testing.T) {
req = NewRequest(t, "GET", test.RedirectURL(resp))
resp = session.MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
assert.Contains(t,
htmlDoc.doc.Find(".ui.negative.message").Text(),
translation.NewLocale("en-US").TrString("user.form.name_reserved", reservedUsername),
)
actualMsg := strings.TrimSpace(htmlDoc.doc.Find(".ui.negative.message").Text())
expectedMsg := locale.TrString("user.form.name_reserved", reservedUsername)
if strings.Contains(reservedUsername, ".") {
expectedMsg = locale.TrString("user.form.name_pattern_not_allowed", reservedUsername)
}
assert.Equal(t, expectedMsg, actualMsg)
unittest.AssertNotExistsBean(t, &user_model.User{Name: reservedUsername})
}
}