From a3b77cff63aa7597eb4eea1b07a780525bdfe6a2 Mon Sep 17 00:00:00 2001 From: Andy Butland Date: Mon, 10 Feb 2025 10:40:53 +0100 Subject: [PATCH] Add validation to prevent update of a user or member to an invalid username (13) (#18261) * Add validation to prevent update of a user or member to an invalid username. * Avoid password manager updates of user name field on user details screen. --- .../Controllers/MemberController.cs | 11 +++++++++++ .../Controllers/UsersController.cs | 9 +++++++++ .../src/views/users/views/user/details.html | 4 +++- 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs b/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs index 4a18bf4620..d03fa87a4a 100644 --- a/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs +++ b/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs @@ -723,6 +723,17 @@ public class MemberController : ContentControllerBase return false; } + // User names can only contain the configured allowed characters. This is validated by ASP.NET Identity on create + // as the setting is applied to the IdentityOptions, but we need to check ourselves for updates. + var allowedUserNameCharacters = _securitySettings.AllowedUserNameCharacters; + if (contentItem.Username.Any(c => allowedUserNameCharacters.Contains(c) == false)) + { + ModelState.AddPropertyError( + new ValidationResult("Username contains invalid characters"), + $"{Constants.PropertyEditors.InternalGenericPropertiesPrefix}login"); + return false; + } + if (contentItem.Password != null && !contentItem.Password.NewPassword.IsNullOrWhiteSpace()) { IdentityResult validPassword = await _memberManager.ValidatePasswordAsync(contentItem.Password.NewPassword); diff --git a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs index c855a87ea4..2f128f1f09 100644 --- a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs +++ b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs @@ -714,6 +714,15 @@ public class UsersController : BackOfficeNotificationsController var hasErrors = false; + // User names can only contain the configured allowed characters. This is validated by ASP.NET Identity on create + // as the setting is applied to the BackOfficeIdentityOptions, but we need to check ourselves for updates. + var allowedUserNameCharacters = _securitySettings.AllowedUserNameCharacters; + if (userSave.Username.Any(c => allowedUserNameCharacters.Contains(c) == false)) + { + ModelState.AddModelError("Username", "Username contains invalid characters"); + hasErrors = true; + } + // we need to check if there's any Deny Local login providers present, if so we need to ensure that the user's email address cannot be changed var hasDenyLocalLogin = _externalLogins.HasDenyLocalLogin(); if (hasDenyLocalLogin) diff --git a/src/Umbraco.Web.UI.Client/src/views/users/views/user/details.html b/src/Umbraco.Web.UI.Client/src/views/users/views/user/details.html index eaa92b7a6e..1eb6840fd3 100644 --- a/src/Umbraco.Web.UI.Client/src/views/users/views/user/details.html +++ b/src/Umbraco.Web.UI.Client/src/views/users/views/user/details.html @@ -1,4 +1,4 @@ -
+
@@ -45,6 +45,8 @@ ng-model="model.user.username" umb-auto-focus name="username" required + autocomplete="off" + no-password-manager val-server-field="Username" /> Required