From 79e00e4c87789ac49520944e6beb186a58f7fc98 Mon Sep 17 00:00:00 2001
From: David B Malkovsky <david@malkovsky.org>
Date: Sat, 17 Aug 2024 05:08:24 -0400
Subject: [PATCH] OP-1322: validate user name (#1388)

* OP-1322: validate user name

* OP-1322: use correct validation string per issue
---
 .../org/isf/menu/manager/UserBrowsingManager.java   |  8 +++++++-
 src/test/java/org/isf/menu/TestUser.java            |  2 +-
 .../java/org/isf/menu/TestUserBrowsingManager.java  | 13 +++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/isf/menu/manager/UserBrowsingManager.java b/src/main/java/org/isf/menu/manager/UserBrowsingManager.java
index e271864ca..0aedc13a9 100644
--- a/src/main/java/org/isf/menu/manager/UserBrowsingManager.java
+++ b/src/main/java/org/isf/menu/manager/UserBrowsingManager.java
@@ -43,6 +43,8 @@
 @Component
 public class UserBrowsingManager {
 
+	private static final String VALID_USERID_PATTERN = "^[a-z0-9-._]+$";
+
 	private MenuIoOperations ioOperations;
 
 	public UserBrowsingManager(MenuIoOperations menuIoOperations) {
@@ -97,9 +99,13 @@ public User getUserByName(String userName) throws OHServiceException {
 	 */
 	public User newUser(User user) throws OHServiceException {
 		String username = user.getUserName();
+		if (!username.matches(VALID_USERID_PATTERN)) {
+			throw new OHDataValidationException(
+							new OHExceptionMessage(MessageBundle.getMessage("angal.userbrowser.theusernamecontainsinvalidcharacters.msg")));
+		}
 		if (ioOperations.isUserNamePresent(username)) {
 			throw new OHDataIntegrityViolationException(
-					new OHExceptionMessage(MessageBundle.formatMessage("angal.userbrowser.theuseralreadyexists.fmt.msg", username)));
+							new OHExceptionMessage(MessageBundle.formatMessage("angal.userbrowser.theuseralreadyexists.fmt.msg", username)));
 		}
 		return ioOperations.newUser(user);
 	}
diff --git a/src/test/java/org/isf/menu/TestUser.java b/src/test/java/org/isf/menu/TestUser.java
index 1e3c8a276..ec9d5ef15 100644
--- a/src/test/java/org/isf/menu/TestUser.java
+++ b/src/test/java/org/isf/menu/TestUser.java
@@ -29,7 +29,7 @@
 
 public class TestUser {
 
-	private String name = "TestName";
+	private String name = "testname";
 	private String passwd = "TestPaswd";
 	private String desc = "TestDesc";
 
diff --git a/src/test/java/org/isf/menu/TestUserBrowsingManager.java b/src/test/java/org/isf/menu/TestUserBrowsingManager.java
index a42c6ba0c..06f27e228 100644
--- a/src/test/java/org/isf/menu/TestUserBrowsingManager.java
+++ b/src/test/java/org/isf/menu/TestUserBrowsingManager.java
@@ -22,6 +22,7 @@
 package org.isf.menu;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 import java.util.List;
 
@@ -35,6 +36,7 @@
 import org.isf.menu.service.UserGroupIoOperationRepository;
 import org.isf.menu.service.UserIoOperationRepository;
 import org.isf.menu.service.UserMenuItemIoOperationRepository;
+import org.isf.utils.exception.OHDataValidationException;
 import org.isf.utils.exception.OHException;
 import org.isf.utils.time.TimeTools;
 import org.junit.jupiter.api.BeforeAll;
@@ -214,6 +216,17 @@ void testGetUserGroups() throws Exception {
 		assertThat(userGroupList.get(0).getCode()).isEqualTo("Z");
 	}
 
+	@Test
+	void testInvalidUserName() throws Exception {
+		assertThatThrownBy(() -> {
+			UserGroup userGroup = testUserGroup.setup(true);
+			User user = testUser.setup(userGroup, true);
+			user.setUserName("A@!");
+			userBrowsingManager.newUser(user);
+		})
+						.isInstanceOf(OHDataValidationException.class);
+	}
+
 	private String setupTestUser(boolean usingSet) throws OHException {
 		UserGroup userGroup = testUserGroup.setup(usingSet);
 		User user = testUser.setup(userGroup, usingSet);