beware of upper and lower case in user_names and community AP ids

2025-01-23 19:36:56 -08:00 · 2024-01-29 08:47:36 +13:00 · 2024-01-29 08:47:36 +13:00 · fec2d24e6d
commit fec2d24e6d
parent 1aff96b52a
2 changed files with 9 additions and 10 deletions
--- a/app/activitypub/util.py
+++ b/app/activitypub/util.py
@ -183,16 +183,16 @@ def instance_allowed(host: str) -> bool:


 def find_actor_or_create(actor: str) -> Union[User, Community, None]:
+    actor = actor.strip()
    user = None
    # actor parameter must be formatted as https://server/u/actor or https://server/c/actor

    # Initially, check if the user exists in the local DB already
    if current_app.config['SERVER_NAME'] + '/c/' in actor:
-        return Community.query.filter_by(
-            ap_profile_id=actor).first()  # finds communities formatted like https://localhost/c/*
+        return Community.query.filter(Community.ap_profile_id.ilike(actor)).first()  # finds communities formatted like https://localhost/c/*

    if current_app.config['SERVER_NAME'] + '/u/' in actor:
-        user = User.query.filter_by(user_name=actor.split('/')[-1], ap_id=None, banned=False).first()  # finds local users
+        user = User.query.filter(User.user_name.ilike(actor.split('/')[-1])).filter_by(ap_id=None, banned=False).first()  # finds local users
        if user is None:
            return None
    elif actor.startswith('https://'):
@ -203,12 +203,11 @@ def find_actor_or_create(actor: str) -> Union[User, Community, None]:
        else:
            if instance_blocked(server):
                return None
-        user = User.query.filter_by(
-            ap_profile_id=actor).first()  # finds users formatted like https://kbin.social/u/tables
+        user = User.query.filter(User.ap_profile_id.ilike(actor)).first()  # finds users formatted like https://kbin.social/u/tables
        if (user and user.banned) or (user and user.deleted) :
            return None
        if user is None:
-            user = Community.query.filter_by(ap_profile_id=actor).first()
+            user = Community.query.filter(Community.ap_profile_id.ilike(actor)).first()

    if user is not None:
        if not user.is_local() and user.ap_fetched_at < utcnow() - timedelta(days=7):
--- a/app/auth/forms.py
+++ b/app/auth/forms.py
@ -25,25 +25,25 @@ class RegistrationForm(FlaskForm):
    submit = SubmitField(_l('Register'))

    def validate_real_email(self, email):
-        user = User.query.filter_by(email=email.data).first()
+        user = User.query.filter(User.email.ilike(email.data.strip())).first()
        if user is not None:
            raise ValidationError(_l('An account with this email address already exists.'))

    def validate_user_name(self, user_name):
-        user = User.query.filter_by(user_name=user_name.data, ap_id=None).first()
+        user = User.query.filter(User.user_name.ilike(user_name.data.strip())).filter_by(ap_id=None).first()
        if user is not None:
            if user.deleted:
                raise ValidationError(_l('This username was used in the past and cannot be reused.'))
            else:
                raise ValidationError(_l('An account with this user name already exists.'))
-        community = Community.query.filter_by(name=user_name.data).first()
+        community = Community.query.filter(Community.name.ilike(user_name.data.strip())).first()
        if community is not None:
            raise ValidationError(_l('A community with this name exists so it cannot be used for a user.'))
        
    def validate_password(self, password):
        if not password.data:
            return
-
+        password.data = password.data.strip()
        if password.data == 'password' or password.data == '12345678' or password.data == '1234567890':
            raise ValidationError(_l('This password is too common.'))