Add validation to prevent update of a user or member to an invalid username (13) (#18261)

* Add validation to prevent update of a user or member to an invalid username. * Avoid password manager updates of user name field on user details screen.
2025-02-10 10:40:53 +01:00
parent 4ca68d6995
commit a3b77cff63
3 changed files with 23 additions and 1 deletions
--- a/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs
@@ -723,6 +723,17 @@ public class MemberController : ContentControllerBase
            return false;
        }

+        // User names can only contain the configured allowed characters. This is validated by ASP.NET Identity on create
+        // as the setting is applied to the IdentityOptions, but we need to check ourselves for updates.
+        var allowedUserNameCharacters = _securitySettings.AllowedUserNameCharacters;
+        if (contentItem.Username.Any(c => allowedUserNameCharacters.Contains(c) == false))
+        {
+            ModelState.AddPropertyError(
+                new ValidationResult("Username contains invalid characters"),
+                $"{Constants.PropertyEditors.InternalGenericPropertiesPrefix}login");
+            return false;
+        }
+
        if (contentItem.Password != null && !contentItem.Password.NewPassword.IsNullOrWhiteSpace())
        {
            IdentityResult validPassword = await _memberManager.ValidatePasswordAsync(contentItem.Password.NewPassword);
--- a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
@@ -714,6 +714,15 @@ public class UsersController : BackOfficeNotificationsController

        var hasErrors = false;

+        // User names can only contain the configured allowed characters. This is validated by ASP.NET Identity on create
+        // as the setting is applied to the BackOfficeIdentityOptions, but we need to check ourselves for updates.
+        var allowedUserNameCharacters = _securitySettings.AllowedUserNameCharacters;
+        if (userSave.Username.Any(c => allowedUserNameCharacters.Contains(c) == false))
+        {
+            ModelState.AddModelError("Username", "Username contains invalid characters");
+            hasErrors = true;
+        }
+
        // we need to check if there's any Deny Local login providers present, if so we need to ensure that the user's email address cannot be changed
        var hasDenyLocalLogin = _externalLogins.HasDenyLocalLogin();
        if (hasDenyLocalLogin)
--- a/src/Umbraco.Web.UI.Client/src/views/users/views/user/details.html
+++ b/src/Umbraco.Web.UI.Client/src/views/users/views/user/details.html
@@ -1,4 +1,4 @@
-<div ng-controller="Umbraco.Editors.Users.DetailsController as vm" class="umb-user-details-details">
+<div ng-controller="Umbraco.Editors.Users.DetailsController as vm" class="umb-user-details-details">

    <div class="umb-user-details-details__main-content">

@@ -45,6 +45,8 @@
                               ng-model="model.user.username"
                               umb-auto-focus name="username"
                               required
+                               autocomplete="off"
+                               no-password-manager
                               val-server-field="Username" />
                        <span ng-messages="userProfileForm.username.$error" show-validation-on-submit>
                            <span class="help-inline" ng-message="required"><localize key="general_required">Required</localize></span>