disallow nicknames on a blacklist

darcs-hash:20080622180437-34904-4b6313f6fd8845232031663c5c2df00dff725183.gz

diff --git a/actions/finishopenidlogin.php b/actions/finishopenidlogin.php
index 27e5057ec1edef49e0362ab415c65cc7773c7bd6..fe9894e52b0a5cbee7f1a90c576d1801ab95091d 100644 (file)
--- a/actions/finishopenidlogin.php
+++ b/actions/finishopenidlogin.php
@@ -167,6 +167,11 @@ class FinishopenidloginAction extends Action {
                        $this->show_form(_t('Nickname must have only letters and numbers and no spaces.'));
                        return;
                }
+
+               if (!User::allowed_nickname($nickname)) {
+                       $this->show_form(_t('Nickname not allowed.'));
+                       return;
+               }
                
                if (User::staticGet('nickname', $nickname)) {
                        $this->show_form(_t('Nickname already in use. Try another one.'));
@@ -338,6 +343,9 @@ class FinishopenidloginAction extends Action {
                                                                                  'format' => VALIDATE_NUM . VALIDATE_ALPHA_LOWER))) {
                        return false;
                }
+               if (!User::allowed_nickname($str)) {
+                       return false;
+               }
                if (User::staticGet('nickname', $str)) {
                        return false;
                }

diff --git a/actions/profilesettings.php b/actions/profilesettings.php
index 6764ad288f51684085981c76e407fb252e5fbf1b..b6e24c729976cdc638915023bf728e72a21853a5 100644 (file)
--- a/actions/profilesettings.php
+++ b/actions/profilesettings.php
@@ -88,6 +88,8 @@ class ProfilesettingsAction extends SettingsAction {
                                                                                                          'format' => VALIDATE_NUM . VALIDATE_ALPHA_LOWER))) {
                        $this->show_form(_t('Nickname must have only letters and numbers and no spaces.'));
                        return;
+               } else if (!User::allowed_nickname($nickname)) {
+                       $this->show_form(_t('Not a valid nickname.'));
                } else if (!is_null($homepage) && (strlen($homepage) > 0) &&
                                   !Validate::uri($homepage, array('allowed_schemes' => array('http', 'https')))) {
                        $this->show_form(_t('Homepage is not a valid URL.'));

diff --git a/actions/register.php b/actions/register.php
index 31c8fea70fad08b6df2cef19e1a0d8492841405a..16e80ef1714a84cf5bf1a3eab198ecafa63831e2 100644 (file)
--- a/actions/register.php
+++ b/actions/register.php
@@ -57,6 +57,8 @@ class RegisterAction extends Action {
                        $this->show_form(_t('Nickname must have only lowercase letters and numbers and no spaces.'));
                } else if ($this->nickname_exists($nickname)) {
                        $this->show_form(_t('Nickname already exists.'));
+               } else if (!User::allowed_nickname($nickname)) {
+                       $this->show_form(_t('Not a valid nickname.'));
                } else if ($this->email_exists($email)) {
                        $this->show_form(_t('Email address already exists.'));
                } else if ($password != $confirm) {

diff --git a/classes/User.php b/classes/User.php
index 0e7fd5447448d5b24b2f1e1a5ed1adbb4de77ec0..e735457f9dcbe743f3b8d313ecbe5ff81ab732d1 100644 (file)
--- a/classes/User.php
+++ b/classes/User.php
@@ -83,4 +83,12 @@ class User extends DB_DataObject
                  ' WHERE id = ' . $this->id;
                return $this->query($qry);
        }
+       
+       function allowed_nickname($nickname) {
+               # XXX: should already be validated for size, content, etc.
+               static $blacklist = array('rss', 'xrds', 'doc', 'main',
+                                                                 'settings', 'notice', 'user');
+               $merged = array_merge($blacklist, common_config('nickname', 'blacklist'));
+               return !in_array($nickname, $merged);
+       }
 }

diff --git a/config.php.sample b/config.php.sample
index bfd1da8ce2bb623354093dc14460aebef2dead36..8253bdeed68dfa394463656d869a6d0aed21f80d 100644 (file)
--- a/config.php.sample
+++ b/config.php.sample
@@ -33,3 +33,6 @@ $config['db']['database'] = 'mysql://laconica:microblog@localhost/laconica';
 
 #session_set_cookie_params(0, '/'. $config['site']['path'] .'/');
 
+#Standard fancy-url clashes prevented by not allowing nicknames on a blacklist
+#Add your own here. Note: empty array by default
+#$config['nickname']['blacklist'][] = 'scobleizer';

diff --git a/lib/common.php b/lib/common.php
index 83b56dcee5cf4b56cbd2b561ff1d081aa92c2261..2853c56e3d80e313ad8c596dbc0019b58b83dc53 100644 (file)
--- a/lib/common.php
+++ b/lib/common.php
@@ -54,7 +54,9 @@ $config =
                          'image' => 'http://i.creativecommons.org/l/by/3.0/88x31.png'),
                'mail' =>
                array('backend' => 'mail',
-                         'params' => NULL)
+                         'params' => NULL),
+               'nickname' =>
+               array('blacklist' => array())
                );
 
 $config['db'] = &PEAR::getStaticProperty('DB_DataObject','options');