From e0f92aa8e0f97a1007c44df7c4238f977eb33d5a Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Tue, 3 Jan 2023 15:03:06 +0100
Subject: [PATCH] fix: [validation] Tightened the validation rules for users to
 avoid 500 errors when the requirements are not met
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- ensure that username is unique
- (optional) ensure that individual->user assignment is unique
- (optional) ensure that usernames are e-mail addresses

- As reported by Matúš Mikuláš, Adam Gajdošík, Milan Pikula of SK-CERT
---
 .../CerebrateSettingsProvider.php              | 18 ++++++++++++++++++
 src/Model/Table/UsersTable.php                 | 11 +++++++++++
 2 files changed, 29 insertions(+)

diff --git a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
index dfa2be4..fb2faa0 100644
--- a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
+++ b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
@@ -328,6 +328,24 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
                     ],
                 ]
             ],
+            'Users' => [
+                'Users' => [
+                    'Settings' => [
+                        'user.multiple-users-per-individual' => [
+                            'name' => __('Multiple users per individual'),
+                            'type' => 'boolean',
+                            'description' => __('Allow for multiple user accounts to be assigned to a single user account. This setting will automatically be restricted when using KeyCloak.'),
+                            'default' => false
+                        ],
+                        'user.username-must-be-email' => [
+                            'name' => __('Usernames must be e-mail addresses'),
+                            'type' => 'boolean',
+                            'description' => __('This setting will enforce that usernames conform to basic requirements of e-mail addresses.'),
+                            'default' => false
+                        ]
+                    ]
+                ]
+            ]
             /*
             'Features' => [
                 'Demo Settings' => [
diff --git a/src/Model/Table/UsersTable.php b/src/Model/Table/UsersTable.php
index 00c53f0..aa52040 100644
--- a/src/Model/Table/UsersTable.php
+++ b/src/Model/Table/UsersTable.php
@@ -175,11 +175,22 @@ class UsersTable extends AppTable
             ])
             ->requirePresence(['username'], 'create')
             ->notEmptyString('username', __('Please fill this field'), 'create');
+        if (Configure::read('user.username-must-be-email')) {
+            $validator->add('username', 'valid_email', [
+                'rule' => 'email',
+                'message' => 'Username has to be a valid e-mail address.'
+            ]);
+        }
         return $validator;
     }
 
     public function buildRules(RulesChecker $rules): RulesChecker
     {
+        $rules->add($rules->isUnique(['username']));
+        $allowDuplicateIndividuals = false;
+        if (empty(Configure::read('user.multiple-users-per-individual')) || !empty(Configure::read('keycloak.enabled'))) {
+            $rules->add($rules->isUnique(['individual_id']));
+        }
         return $rules;
     }