Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-29 18:16:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: closes #13475, don't store escaped username

Browse Source 
when updating profile
This commit is contained in:
Barış Soner Uşaklı
2025-06-05 11:42:29 -04:00
parent 4fbcfae8b1
commit 806e54bf5a
2 changed files with 28 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/api/users.js
View File

@@ -57,7 +57,7 @@ usersAPI.update = async function (caller, data) {
throw new Error('[[error:invalid-data]]'); throw new Error('[[error:invalid-data]]');
} }
const oldUserData = await user.getUserFields(data.uid, ['email', 'username']); const oldUserData = await db.getObjectFields(`user:${data.uid}`, ['email', 'username']);
if (!oldUserData || !oldUserData.username) { if (!oldUserData || !oldUserData.username) {
throw new Error('[[error:invalid-data]]'); throw new Error('[[error:invalid-data]]');
} }
@@ -86,14 +86,14 @@ usersAPI.update = async function (caller, data) {
await user.updateProfile(caller.uid, data); await user.updateProfile(caller.uid, data);
const userData = await user.getUserData(data.uid); const userData = await user.getUserData(data.uid);
const oldUsernameEscaped = validator.escape(String(oldUserData.username));
if (userData.username !== oldUserData.username) { if (userData.username !== oldUsernameEscaped) {
await events.log({ await events.log({
type: 'username-change', type: 'username-change',
uid: caller.uid, uid: caller.uid,
targetUid: data.uid, targetUid: data.uid,
ip: caller.ip, ip: caller.ip,
oldUsername: oldUserData.username, oldUsername: oldUsernameEscaped,
newUsername: userData.username, newUsername: userData.username,
}); });
} }

25
test/user.js
View File

@@ -748,7 +748,9 @@ describe('User', () => {
signature: 'nodebb is good', signature: 'nodebb is good',
password: '123456', password: '123456',
}; };
const result = await apiUser.update({ uid: uid }, { ...data, password: '123456', invalid: 'field' }); const result = await apiUser.update({ uid: uid }, {
...data, password: '123456', invalid: 'field',
});
assert.equal(result.username, 'updatedUserName'); assert.equal(result.username, 'updatedUserName');
assert.equal(result.userslug, 'updatedusername'); assert.equal(result.userslug, 'updatedusername');
assert.equal(result.fullname, 'updatedFullname'); assert.equal(result.fullname, 'updatedFullname');
@@ -767,6 +769,27 @@ describe('User', () => {
assert.strictEqual(userData.invalid, undefined); assert.strictEqual(userData.invalid, undefined);
}); });
it('should not change the username to escaped version', async () => {
const uid = await User.create({
username: 'ex\'ample_user', email: '13475@test.com', password: '123456',
});
await User.setUserField(uid, 'email', '13475@test.com');
await User.email.confirmByUid(uid);
const data = {
uid: uid,
username: 'ex\'ample_user',
password: '123456',
};
const result = await apiUser.update({ uid: uid }, {
...data, password: '123456', invalid: 'field',
});
const storedUsername = await db.getObjectField(`user:${uid}`, 'username');
assert.equal(result.username, 'ex'ample_user');
assert.equal(storedUsername, 'ex\'ample_user');
assert.equal(result.userslug, 'ex-ample_user');
});
it('should also generate an email confirmation code for the changed email', async () => { it('should also generate an email confirmation code for the changed email', async () => {
const confirmSent = await User.email.isValidationPending(uid, 'updatedemail@me.com'); const confirmSent = await User.email.isValidationPending(uid, 'updatedemail@me.com');
assert.strictEqual(confirmSent, true); assert.strictEqual(confirmSent, true);