src/applications/people/storage/__tests__/PhabricatorUserTestCase.php

   1 <?php
   2
   3 final class PhabricatorUserTestCase extends PhabricatorTestCase {
   4
   5   public function testUsernameValidation() {
   6     $map = array(
   7       'alincoln'    => true,
   8       'alincoln69'  => true,
   9       'hd3'         => true,
  10       'Alincoln'    => true,
  11       'a.lincoln'   => true,
  12
  13       'alincoln!'   => false,
  14       ''            => false,
  15
  16       // These are silly, but permitted.
  17       '7'           => true,
  18       '0'           => true,
  19       '____'        => true,
  20       '-'           => true,
  21
  22       // These are not permitted because they make capturing @mentions
  23       // ambiguous.
  24       'joe.'        => false,
  25
  26       // We can never allow these because they invalidate usernames as tokens
  27       // in commit messages ("Reviewers: alincoln, usgrant"), or as parameters
  28       // in URIs ("/p/alincoln/", "?user=alincoln"), or make them unsafe in
  29       // HTML. Theoretically we escape all the HTML/URI stuff, but these
  30       // restrictions make attacks more difficult and are generally reasonable,
  31       // since usernames like "<^, ,^>" don't seem very important to support.
  32       '<script>'    => false,
  33       'a lincoln'   => false,
  34       ' alincoln'   => false,
  35       'alincoln '   => false,
  36       'a,lincoln'   => false,
  37       'a&lincoln'   => false,
  38       'a/lincoln'   => false,
  39
  40       "username\n"  => false,
  41       "user\nname"  => false,
  42       "\nusername"  => false,
  43       "username\r"  => false,
  44       "user\rname"  => false,
  45       "\rusername"  => false,
  46     );
  47
  48     foreach ($map as $name => $expect) {
  49       $this->assertEqual(
  50         $expect,
  51         PhabricatorUser::validateUsername($name),
  52         pht("Validity of '%s'.", $name));
  53     }
  54   }
  55
  56 }