• Jérome Perrin's avatar
    ERP5Security: ignore leading/trailing spaces in usernames · d76b8d8e
    Jérome Perrin authored
    We received a few support requests from users who are able to change their
    password but not to log-in afterwards. These users probably copy and pasted
    their user name with an extra leading or trailing space. In the reset
    password dialog, these spaces are stripped, because Formulator by default
    strips the input (unless "whitespace preserve" is on, but we usually don't
    set it except in text areas).
    
    Historically we have been completely avoiding the extra spaces and made the
    login/user_id case insensitive, because login and user id were the same
    thing and there have been issues when looking up user id in mariadb because
    of mariadb collations, so we took the easy way of saying "logins are case
    sensitives and spaces also mater", but with separate login / user id,
    this can be revisited, because the login is only used to check the password
    and find an user ID.
    
    Stripping spaces from logins is a common thing these days (google, twitter,
    facebook strip logins) which simplifies user experience and reduces support.
    
    The risk of conflicts seems very low, if users are created with ERP5 Forms
    Formulator already had stripped the login anyway. After this change in case
    of two user names ('alice' and ' alice ') conflict, none of them would be
    able to login.
    We keep compatibility with users with trailing spaces, so if there is only
    a user named ' alice ', without other users that would conflict (for
    example 'alice' or ' alice'), this user remain able to login anyway. This
    last part is probably not so important in reality, it is for compatibility
    with testPasswordTool.TestPasswordTool.test_login_with_trailing_space
    d76b8d8e
ERP5LoginUserManager.py 11.8 KB