fix: [validation] Tightened the validation rules for users to avoid 500 errors when the requirements are not met

- ensure that username is unique - (optional) ensure that individual->user assignment is unique - (optional) ensure that usernames are e-mail addresses - As reported by Matúš Mikuláš, Adam Gajdošík, Milan Pikula of SK-CERT
2023-01-03 15:03:06 +01:00 · 2023-01-03 15:03:06 +01:00 · e0f92aa8e0
parent da2f904554
commit e0f92aa8e0
2 changed files with 29 additions and 0 deletions
--- a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
+++ b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
@ -328,6 +328,24 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
                    ],
                ]
            ],
+            'Users' => [
+                'Users' => [
+                    'Settings' => [
+                        'user.multiple-users-per-individual' => [
+                            'name' => __('Multiple users per individual'),
+                            'type' => 'boolean',
+                            'description' => __('Allow for multiple user accounts to be assigned to a single user account. This setting will automatically be restricted when using KeyCloak.'),
+                            'default' => false
+                        ],
+                        'user.username-must-be-email' => [
+                            'name' => __('Usernames must be e-mail addresses'),
+                            'type' => 'boolean',
+                            'description' => __('This setting will enforce that usernames conform to basic requirements of e-mail addresses.'),
+                            'default' => false
+                        ]
+                    ]
+                ]
+            ]
            /*
            'Features' => [
                'Demo Settings' => [
--- a/src/Model/Table/UsersTable.php
+++ b/src/Model/Table/UsersTable.php
@ -175,11 +175,22 @@ class UsersTable extends AppTable
            ])
            ->requirePresence(['username'], 'create')
            ->notEmptyString('username', __('Please fill this field'), 'create');
+        if (Configure::read('user.username-must-be-email')) {
+            $validator->add('username', 'valid_email', [
+                'rule' => 'email',
+                'message' => 'Username has to be a valid e-mail address.'
+            ]);
+        }
        return $validator;
    }

    public function buildRules(RulesChecker $rules): RulesChecker
    {
+        $rules->add($rules->isUnique(['username']));
+        $allowDuplicateIndividuals = false;
+        if (empty(Configure::read('user.multiple-users-per-individual')) || !empty(Configure::read('keycloak.enabled'))) {
+            $rules->add($rules->isUnique(['individual_id']));
+        }
        return $rules;
    }