Fix Bug #828: Validate username

taiga/auth/serializers.py

@@ -16,12 +16,28 @@
 
 from rest_framework import serializers
 
+from django.core import validators
+from django.core.exceptions import ValidationError
+import re
+
+
 class BaseRegisterSerializer(serializers.Serializer):
     full_name = serializers.CharField(max_length=256)
     email = serializers.EmailField(max_length=200)
-    username = serializers.CharField(max_length=200)
+    username = serializers.CharField(max_length=30)
     password = serializers.CharField(min_length=4)
 
+    def validate_username(self, attrs, source):
+        value = attrs[source]
+        validator = validators.RegexValidator(re.compile('^[\w.-]+$'), "invalid username", "invalid")
+
+        try:
+            validator(value)
+        except ValidationError:
+            raise serializers.ValidationError("Required. 30 characters or fewer. Letters, numbers "
+                                              "and /./-/_ characters'")
+        return attrs
+
 
 class PublicRegisterSerializer(BaseRegisterSerializer):
     pass
@@ -30,7 +46,8 @@ class PublicRegisterSerializer(BaseRegisterSerializer):
 class PrivateRegisterForNewUserSerializer(BaseRegisterSerializer):
     token = serializers.CharField(max_length=255, required=True)
 
+
 class PrivateRegisterForExistingUserSerializer(serializers.Serializer):
-    username = serializers.CharField(max_length=200)
+    username = serializers.CharField(max_length=30)
     password = serializers.CharField(min_length=4)
     token = serializers.CharField(max_length=255, required=True)

taiga/users/serializers.py

@@ -46,5 +46,6 @@ class RecoverySerializer(serializers.Serializer):
     token = serializers.CharField(max_length=200)
     password = serializers.CharField(min_length=6)
 
+
 class ChangeEmailSerializer(serializers.Serializer):
     email_token = serializers.CharField(max_length=200)

tests/integration/test_auth_api.py

@@ -48,7 +48,7 @@ def test_respond_400_if_domain_does_not_allow_public_registration(client, regist
     assert response.status_code == 400
 
 
-def test_respond_201_if_domain_allows_public_registration(client, register_form):
+def test_respond_201_with_invitation_if_domain_does_not_allows_public_registration(client, register_form):
     user = factories.UserFactory()
     membership = factories.MembershipFactory(user=user)
 
@@ -120,3 +120,15 @@ def test_response_404_in_registration_with_github_account_in_a_project_with_inva
 
         response = client.post(reverse("auth-list"), form)
         assert response.status_code == 404
+
+
+def test_respond_400_If_username_is_invalid(client, settings, register_form):
+    settings.PUBLIC_REGISTER_ENABLED = True
+
+    register_form.update({"username": "User Examp:/e"})
+    response = client.post(reverse("auth-register"), register_form)
+    assert response.status_code == 400
+
+    register_form.update({"username": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-error"})
+    response = client.post(reverse("auth-register"), register_form)
+    assert response.status_code == 400