From 4f1cef546e2bd1ff21ed1031c46599010ee9033a Mon Sep 17 00:00:00 2001
From: msquare <msquare@notrademark.de>
Date: Sun, 28 Apr 2019 14:34:04 +0200
Subject: better nick validation, fixes #429

---
 includes/model/User_model.php  | 13 +++++++++++--
 includes/pages/admin_user.php  |  5 ++++-
 includes/pages/guest_login.php | 25 +++++++++++++++----------
 includes/view/User_view.php    |  1 +
 4 files changed, 31 insertions(+), 13 deletions(-)

(limited to 'includes')

diff --git a/includes/model/User_model.php b/includes/model/User_model.php
index d47b2915..a928d895 100644
--- a/includes/model/User_model.php
+++ b/includes/model/User_model.php
@@ -112,11 +112,20 @@ function Users_by_angeltype($angeltype)
  * Nick is trimmed.
  *
  * @param string $nick
- * @return string
+ * @return ValidationResult
  */
 function User_validate_Nick($nick)
 {
-    return preg_replace('/([^\p{L}\p{N}\-_. ]+)/ui', '', trim($nick));
+    $nick = trim($nick);
+    
+    if(strlen($nick) == 0 || strlen($nick) > 23) {
+        return new ValidationResult(false, $nick);
+    }
+    if(preg_match('/([^\p{L}\p{N}\-_. ]+)/ui', $nick)) {
+        return new ValidationResult(false, $nick);
+    }
+    
+    return new ValidationResult(true, $nick);
 }
 
 /**
diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php
index a193aff7..e59c5baa 100644
--- a/includes/pages/admin_user.php
+++ b/includes/pages/admin_user.php
@@ -261,7 +261,10 @@ function admin_user()
                 if ($user_source->settings->email_human) {
                     $user_source->email = $request->postData('eemail');
                 }
-                $user_source->name = User_validate_Nick($request->postData('eNick'));
+                $nickValidation = User_validate_Nick($request->postData('eNick'));
+                if($nickValidation->isValid()) {
+                    $user_source->name = $nickValidation->getValue();
+                }
                 $user_source->save();
                 $user_source->personalData->first_name = $request->postData('eVorname');
                 $user_source->personalData->last_name = $request->postData('eName');
diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php
index 7b6eb9c1..a0aa92a5 100644
--- a/includes/pages/guest_login.php
+++ b/includes/pages/guest_login.php
@@ -83,18 +83,21 @@ function guest_register()
     if ($request->hasPostData('submit')) {
         $valid = true;
 
-        if ($request->has('nick') && strlen(User_validate_Nick($request->input('nick'))) > 1) {
-            $nick = User_validate_Nick($request->input('nick'));
+        if ($request->has('nick')) {
+            $nickValidation = User_validate_Nick($request->input('nick'));
+            $nick = $nickValidation->getValue();
+            
+            if(!$nickValidation->isValid()) {
+                $valid = false;
+                $msg .= error(sprintf(__('Please enter a valid nick.') . ' ' . __('Use up to 23 letters, numbers, connecting punctuations or spaces for your nickname.'), $nick), true);
+            }
             if (User::whereName($nick)->count() > 0) {
                 $valid = false;
                 $msg .= error(sprintf(__('Your nick &quot;%s&quot; already exists.'), $nick), true);
             }
         } else {
             $valid = false;
-            $msg .= error(sprintf(
-                __('Your nick &quot;%s&quot; is too short (min. 2 characters).'),
-                User_validate_Nick($request->input('nick'))
-            ), true);
+            $msg .= error(__('Please enter a nickname.'), true);
         }
 
         if ($request->has('mail') && strlen(strip_request_item('mail')) > 0) {
@@ -283,7 +286,8 @@ function guest_register()
                 div('col-md-6', [
                     div('row', [
                         div('col-sm-4', [
-                            form_text('nick', __('Nick') . ' ' . entry_required(), $nick)
+                            form_text('nick', __('Nick') . ' ' . entry_required(), $nick),
+                            form_info('', __('Use up to 23 letters, numbers, connecting punctuations or spaces for your nickname.'))
                         ]),
                         div('col-sm-8', [
                             form_email('mail', __('E-Mail') . ' ' . entry_required(), $mail),
@@ -395,9 +399,10 @@ function guest_login()
     $session->remove('uid');
 
     if ($request->hasPostData('submit')) {
-        if ($request->has('nick') && strlen(User_validate_Nick($request->input('nick'))) > 0) {
-            $nick = User_validate_Nick($request->input('nick'));
-            $login_user = User::whereName($nick)->first();
+        if ($request->has('nick') && !empty($request->input('nick'))) {
+            $nickValidation = User_validate_Nick($request->input('nick'));
+            $nick = $nickValidation->getValue();
+            $login_user = User::whereName($nickValidation->getValue())->first();
             if ($login_user) {
                 if ($request->has('password')) {
                     if (!verify_password($request->postData('password'), $login_user->password, $login_user->id)) {
diff --git a/includes/view/User_view.php b/includes/view/User_view.php
index 718e89c6..87d767f8 100644
--- a/includes/view/User_view.php
+++ b/includes/view/User_view.php
@@ -36,6 +36,7 @@ function User_settings_view(
                     form_info('', __('Here you can change your user details.')),
                     form_info(entry_required() . ' = ' . __('Entry required!')),
                     form_text('nick', __('Nick'), $user_source->name, true),
+                    form_info('', __('Use up to 23 letters, numbers, connecting punctuations or spaces for your nickname.')),
                     form_text('lastname', __('Last name'), $personalData->last_name),
                     form_text('prename', __('First name'), $personalData->first_name),
                     $enable_planned_arrival ? form_date(
-- 
cgit v1.2.3-54-g00ecf