From 6b7082a194a19579430e426ffc4bce52ffd336e9 Mon Sep 17 00:00:00 2001 From: Michael Manfre Date: Sun, 20 Nov 2022 13:13:44 -0500 Subject: [PATCH] Add config identity_min_length and apply non-admin validation --- core/models/config.py | 1 + users/tests/test_identity.py | 94 +++++++++++++++++++++++++++++++++++ users/views/admin/settings.py | 10 +++- users/views/identity.py | 22 ++++++++ 4 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 users/tests/test_identity.py diff --git a/core/models/config.py b/core/models/config.py index 5d2fdfb..ffe7172 100644 --- a/core/models/config.py +++ b/core/models/config.py @@ -165,6 +165,7 @@ class Config(models.Model): signup_text: str = "" post_length: int = 500 + identity_min_length: int = 2 identity_max_per_user: int = 5 identity_max_age: int = 24 * 60 * 60 diff --git a/users/tests/test_identity.py b/users/tests/test_identity.py new file mode 100644 index 0000000..f056d60 --- /dev/null +++ b/users/tests/test_identity.py @@ -0,0 +1,94 @@ +import pytest + +from core.models import Config +from users.models import Domain, Identity, User +from users.views.identity import CreateIdentity + + +@pytest.mark.django_db +def test_create_identity_form(client): + """ """ + # Make a user + user = User.objects.create(email="test@example.com") + admin = User.objects.create(email="admin@example.com", admin=True) + # Make a domain + domain = Domain.objects.create(domain="example.com", local=True) + domain.users.add(user) + domain.users.add(admin) + + # Test identity_min_length + data = { + "username": "a", + "domain": domain.domain, + "name": "The User", + } + + form = CreateIdentity.form_class(user=user, data=data) + assert not form.is_valid() + assert "username" in form.errors + assert "value has at least" in form.errors["username"][0] + + form = CreateIdentity.form_class(user=admin, data=data) + assert form.errors == {} + + # Test restricted_usernames + data = { + "username": "@root", + "domain": domain.domain, + "name": "The User", + } + + form = CreateIdentity.form_class(user=user, data=data) + assert not form.is_valid() + assert "username" in form.errors + assert "restricted to administrators" in form.errors["username"][0] + + form = CreateIdentity.form_class(user=admin, data=data) + assert form.errors == {} + + # Test valid chars + data = { + "username": "@someval!!!!", + "domain": domain.domain, + "name": "The User", + } + + for u in (user, admin): + form = CreateIdentity.form_class(user=u, data=data) + assert not form.is_valid() + assert "username" in form.errors + assert form.errors["username"][0].startswith("Only the letters") + + +@pytest.mark.django_db +def test_identity_max_per_user(client): + """ + Ensures the webfinger and actor URLs are working properly + """ + # Make a user + user = User.objects.create(email="test@example.com") + # Make a domain + domain = Domain.objects.create(domain="example.com", local=True) + domain.users.add(user) + # Make an identity for them + for i in range(Config.system.identity_max_per_user): + identity = Identity.objects.create( + actor_uri=f"https://example.com/@test{i}@example.com/actor/", + username=f"test{i}", + domain=domain, + name=f"Test User{i}", + local=True, + ) + identity.users.add(user) + + data = { + "username": "toomany", + "domain": domain.domain, + "name": "Too Many", + } + form = CreateIdentity.form_class(user=user, data=data) + assert form.errors["__all__"][0].startswith("You are not allowed more than") + + user.admin = True + form = CreateIdentity.form_class(user=user, data=data) + assert form.is_valid() diff --git a/users/views/admin/settings.py b/users/views/admin/settings.py index e11aba5..0ed9a60 100644 --- a/users/views/admin/settings.py +++ b/users/views/admin/settings.py @@ -54,6 +54,10 @@ class BasicSettings(AdminSettingsPage): "title": "Maximum Identities Per User", "help_text": "Non-admins will be blocked from creating more than this", }, + "identity_min_length": { + "title": "Minimum Length For User Identities", + "help_text": "Non-admins will be blocked from creating identities shorter than this", + }, "signup_allowed": { "title": "Signups Allowed", "help_text": "If signups are allowed at all", @@ -84,5 +88,9 @@ class BasicSettings(AdminSettingsPage): ], "Signups": ["signup_allowed", "signup_invite_only", "signup_text"], "Posts": ["post_length"], - "Identities": ["identity_max_per_user", "restricted_usernames"], + "Identities": [ + "identity_max_per_user", + "identity_min_length", + "restricted_usernames", + ], } diff --git a/users/views/identity.py b/users/views/identity.py index 5524c4c..4dae6d5 100644 --- a/users/views/identity.py +++ b/users/views/identity.py @@ -2,6 +2,7 @@ import string from django import forms from django.contrib.auth.decorators import login_required +from django.core import validators from django.http import Http404, JsonResponse from django.shortcuts import redirect from django.utils.decorators import method_decorator @@ -144,10 +145,23 @@ class CreateIdentity(FormView): (domain.domain, domain.domain) for domain in Domain.available_for_user(user) ] + self.user = user def clean_username(self): # Remove any leading @ and force it lowercase value = self.cleaned_data["username"].lstrip("@").lower() + + if not self.user.admin: + # Apply username min length + limit = int(Config.system.identity_min_length) + validators.MinLengthValidator(limit)(value) + + # Apply username restrictions + if value in Config.system.restricted_usernames.split(): + raise forms.ValidationError( + "This username is restricted to administrators only." + ) + # Validate it's all ascii characters for character in value: if character not in string.ascii_letters + string.digits + "_-": @@ -167,6 +181,14 @@ class CreateIdentity(FormView): ): raise forms.ValidationError(f"{username}@{domain} is already taken") + if not self.user.admin and ( + Identity.objects.filter(users=self.user).count() + >= Config.system.identity_max_per_user + ): + raise forms.ValidationError( + f"You are not allowed more than {Config.system.identity_max_per_user} identities" + ) + def get_form(self): form_class = self.get_form_class() return form_class(user=self.request.user, **self.get_form_kwargs())