Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No username validation to prevent duplicate usernames #3331

Closed
cotyhamilton opened this issue May 28, 2019 · 2 comments
Closed

No username validation to prevent duplicate usernames #3331

cotyhamilton opened this issue May 28, 2019 · 2 comments
Assignees
@lauriejim
Labels
status: duplicate Is a duplicate of another issue

Comments

@cotyhamilton
Copy link
Contributor

Informations

  • Node.js version: v10.14.2
  • NPM version: 6.8.0
  • Strapi version: 3.0.0-alpha.26.2
  • Database: PostgreSQL/SQLite
  • Operating system: MacOS

What is the current behavior?
New users are able to be created with the same username. This is with the local provider, I'm unsure how other providers are handled.

Steps to reproduce the problem
Create two new users with the same username using the Admin Panel (or API, same results)

What is the expected behavior?
Prevent new users from being created with duplicate usernames

Suggested solutions
Add validation similar to how email addresses are ensured to be unique values. I'm unsure if this feature needs a toggle to turn off and on like email does considering username is used to login by default, I think the usernames should always be unique.
@cotyhamilton
Copy link
Contributor Author

I added this to the create function in the User controller

if (ctx.request.body.username) {
      const user = await strapi.query('user', 'users-permissions').findOne({ username: ctx.request.body.username });

      if (user) {
        return ctx.badRequest(null, ctx.request.admin ? [{ messages: [{ id: 'Auth.form.error.username.taken', field: ['username'] }] }] : 'Username is already taken.')
      }
    }

and this to the update function in the User controller

if (ctx.request.body.username) {
        const users = await strapi.plugins['users-permissions'].services.user.fetchAll({ username: ctx.request.body.username });

        if (users && _.find(users, user => (user.id || user._id).toString() !== (ctx.params.id || ctx.params._id))) {
          return ctx.badRequest(null, ctx.request.admin ? [{ messages: [{ id: 'Auth.form.error.username.taken', field: ['username'] }] }] : 'Username is already taken.');
        }
      }

These handle the validation in the admin panel, as for the api I discovered this related issue: #1189

So I just made the column unique in the database and the response returns:

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "Username is already taken."
}

as expected. (I switched back to PostgreSQL btw and am no longer using SQLite.)

I don't know if I should submit a PR with the admin validation as it seems dubious to do so considering the underlying issue isn't resolved.

@lauriejim lauriejim self-assigned this May 28, 2019
@lauriejim lauriejim added the status: duplicate Is a duplicate of another issue label May 28, 2019
@lauriejim
Copy link
Contributor

Thank you @cotyhamilton for this report.
This is related to this issue #1189

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lauriejim lauriejim

Labels
status: duplicate Is a duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lauriejim @cotyhamilton