disallow nicknames on a blacklist

darcs-hash:20080622180437-34904-4b6313f6fd8845232031663c5c2df00dff725183.gz
2008-06-22 14:04:37 -04:00 · 2008-06-22 14:04:37 -04:00 · d758c11784
commit d758c11784
parent a69dbe7cd5
6 changed files with 26 additions and 1 deletions
--- a/actions/finishopenidlogin.php
+++ b/actions/finishopenidlogin.php
@ -168,6 +168,11 @@ class FinishopenidloginAction extends Action {
 			return;
 		}

+		if (!User::allowed_nickname($nickname)) {
+			$this->show_form(_t('Nickname not allowed.'));
+			return;
+		}
+		
 		if (User::staticGet('nickname', $nickname)) {
 			$this->show_form(_t('Nickname already in use. Try another one.'));
 			return;
@ -338,6 +343,9 @@ class FinishopenidloginAction extends Action {
 										  'format' => VALIDATE_NUM . VALIDATE_ALPHA_LOWER))) {
 			return false;
 		}
+		if (!User::allowed_nickname($str)) {
+			return false;
+		}
 		if (User::staticGet('nickname', $str)) {
 			return false;
 		}
--- a/actions/profilesettings.php
+++ b/actions/profilesettings.php
@ -88,6 +88,8 @@ class ProfilesettingsAction extends SettingsAction {
 													  'format' => VALIDATE_NUM . VALIDATE_ALPHA_LOWER))) {
 			$this->show_form(_t('Nickname must have only letters and numbers and no spaces.'));
 			return;
+		} else if (!User::allowed_nickname($nickname)) {
+			$this->show_form(_t('Not a valid nickname.'));
 		} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
 				   !Validate::uri($homepage, array('allowed_schemes' => array('http', 'https')))) {
 			$this->show_form(_t('Homepage is not a valid URL.'));
--- a/actions/register.php
+++ b/actions/register.php
@ -57,6 +57,8 @@ class RegisterAction extends Action {
 			$this->show_form(_t('Nickname must have only lowercase letters and numbers and no spaces.'));
 		} else if ($this->nickname_exists($nickname)) {
 			$this->show_form(_t('Nickname already exists.'));
+		} else if (!User::allowed_nickname($nickname)) {
+			$this->show_form(_t('Not a valid nickname.'));
 		} else if ($this->email_exists($email)) {
 			$this->show_form(_t('Email address already exists.'));
 		} else if ($password != $confirm) {
--- a/classes/User.php
+++ b/classes/User.php
@ -83,4 +83,12 @@ class User extends DB_DataObject
 		  ' WHERE id = ' . $this->id;
 		return $this->query($qry);
 	}
+	
+	function allowed_nickname($nickname) {
+		# XXX: should already be validated for size, content, etc.
+		static $blacklist = array('rss', 'xrds', 'doc', 'main',
+								  'settings', 'notice', 'user');
+		$merged = array_merge($blacklist, common_config('nickname', 'blacklist'));
+		return !in_array($nickname, $merged);
+	}
 }
--- a/config.php.sample
+++ b/config.php.sample
@ -33,3 +33,6 @@ $config['db']['database'] = 'mysql://laconica:microblog@localhost/laconica';

 #session_set_cookie_params(0, '/'. $config['site']['path'] .'/');

+#Standard fancy-url clashes prevented by not allowing nicknames on a blacklist
+#Add your own here. Note: empty array by default
+#$config['nickname']['blacklist'][] = 'scobleizer';
--- a/lib/common.php
+++ b/lib/common.php
@ -54,7 +54,9 @@ $config =
 			  'image' => 'http://i.creativecommons.org/l/by/3.0/88x31.png'),
 		'mail' =>
 		array('backend' => 'mail',
-			  'params' => NULL)
+			  'params' => NULL),
+		'nickname' =>
+		array('blacklist' => array())
 		);

 $config['db'] = &PEAR::getStaticProperty('DB_DataObject','options');