Goit

Restrict legal name character set

Diffstat

6 files changed, 25 insertions, 13 deletions

diff --git a/src/admin/repos.go b/src/admin/repos.go
index fdf7598..8c78faa 100644
--- a/src/admin/repos.go
+++ b/src/admin/repos.go
@@ -136,8 +136,8 @@ func HandleRepoEdit(w http.ResponseWriter, r *http.Request) {
 
 			if data.Edit.Name == "" {
 				data.Edit.Message = "Name cannot be empty"
-			} else if slices.Contains(goit.Reserved, data.Edit.Name) {
-				data.Edit.Message = "Name \"" + data.Edit.Name + "\" is reserved"
+			} else if slices.Contains(goit.Reserved, data.Edit.Name) || !goit.IsLegal(data.Name) {
+				data.Edit.Message = "Name \"" + data.Edit.Name + "\" is illegal"
 			} else if exists, err := goit.RepoExists(data.Edit.Name); err != nil {
 				log.Println("[/admin/repo/edit]", err.Error())
 				goit.HttpError(w, http.StatusInternalServerError)
diff --git a/src/admin/users.go b/src/admin/users.go
index 67a855c..a12381a 100644
--- a/src/admin/users.go
+++ b/src/admin/users.go
@@ -87,8 +87,8 @@ func HandleUserCreate(w http.ResponseWriter, r *http.Request) {
 
 		if data.Form.Name == "" {
 			data.Message = "Username cannot be empty"
-		} else if slices.Contains(goit.Reserved, data.Form.Name) {
-			data.Message = "Username \"" + data.Form.Name + "\" is reserved"
+		} else if slices.Contains(goit.Reserved, data.Form.Name) || !goit.IsLegal(data.Form.Name) {
+			data.Message = "Username \"" + data.Form.Name + "\" is illegal"
 		} else if exists, err := goit.UserExists(data.Form.Name); err != nil {
 			log.Println("[/admin/user/create]", err.Error())
 			goit.HttpError(w, http.StatusInternalServerError)
@@ -175,8 +175,8 @@ func HandleUserEdit(w http.ResponseWriter, r *http.Request) {
 
 		if data.Form.Name == "" {
 			data.Message = "Username cannot be empty"
-		} else if slices.Contains(goit.Reserved, data.Form.Name) && user.Id != 0 {
-			data.Message = "Username \"" + data.Form.Name + "\" is reserved"
+		} else if slices.Contains(goit.Reserved, data.Form.Name) && user.Id != 0 || !goit.IsLegal(data.Form.Name) {
+			data.Message = "Username \"" + data.Form.Name + "\" is illegal"
 		} else if exists, err := goit.UserExists(data.Form.Name); err != nil {
 			log.Println("[/admin/user/edit]", err.Error())
 			goit.HttpError(w, http.StatusInternalServerError)
diff --git a/src/goit/goit.go b/src/goit/goit.go
index 59051bf..33f73a3 100644
--- a/src/goit/goit.go
+++ b/src/goit/goit.go
@@ -15,6 +15,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 	"time"
 
@@ -94,7 +95,7 @@ func Goit(conf string) (err error) {
 		`CREATE TABLE IF NOT EXISTS users (
 			id INTEGER PRIMARY KEY AUTOINCREMENT,
 			name TEXT UNIQUE NOT NULL,
-			name_full TEXT UNIQUE NOT NULL,
+			name_full TEXT NOT NULL,
 			pass BLOB NOT NULL,
 			pass_algo TEXT NOT NULL,
 			salt BLOB NOT NULL,
@@ -150,6 +151,16 @@ func RepoPath(name string, abs bool) string {
 	return util.If(abs, filepath.Join(Conf.DataPath, "repos", name+".git"), filepath.Join(name+".git"))
 }
 
+func IsLegal(s string) bool {
+	for i := 0; i < len(s); i += 1 {
+		if !slices.Contains([]byte("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.~/"), s[i]) {
+			return false
+		}
+	}
+
+	return true
+}
+
 func Backup() error {
 	data := struct {
 		Users []User `json:"users"`
diff --git a/src/repo/create.go b/src/repo/create.go
index 37d6ee1..c39c826 100644
--- a/src/repo/create.go
+++ b/src/repo/create.go
@@ -5,6 +5,7 @@ import (
 	"log"
 	"net/http"
 	"slices"
+	"strings"
 
 	"github.com/Jamozed/Goit/src/goit"
 	"github.com/gorilla/csrf"
@@ -41,8 +42,8 @@ func HandleCreate(w http.ResponseWriter, r *http.Request) {
 
 		if data.Name == "" {
 			data.Message = "Name cannot be empty"
-		} else if slices.Contains(goit.Reserved, data.Name) {
-			data.Message = "Name \"" + data.Name + "\" is reserved"
+		} else if slices.Contains(goit.Reserved, strings.SplitN(data.Name, "/", 2)[0]) || !goit.IsLegal(data.Name) {
+			data.Message = "Name \"" + data.Name + "\" is illegal"
 		} else if exists, err := goit.RepoExists(data.Name); err != nil {
 			log.Println("[/repo/create]", err.Error())
 			goit.HttpError(w, http.StatusInternalServerError)
diff --git a/src/repo/edit.go b/src/repo/edit.go
index c72b342..5bba196 100644
--- a/src/repo/edit.go
+++ b/src/repo/edit.go
@@ -114,8 +114,8 @@ func HandleEdit(w http.ResponseWriter, r *http.Request) {
 
 			if data.Edit.Name == "" {
 				data.Edit.Message = "Name cannot be empty"
-			} else if slices.Contains(goit.Reserved, data.Edit.Name) {
-				data.Edit.Message = "Name \"" + data.Edit.Name + "\" is reserved"
+			} else if slices.Contains(goit.Reserved, data.Edit.Name) || !goit.IsLegal(data.Name) {
+				data.Edit.Message = "Name \"" + data.Edit.Name + "\" is illegal"
 			} else if exists, err := goit.RepoExists(data.Edit.Name); err != nil {
 				log.Println("[/repo/edit]", err.Error())
 				goit.HttpError(w, http.StatusInternalServerError)
diff --git a/src/user/edit.go b/src/user/edit.go
index f3a4486..834c748 100644
--- a/src/user/edit.go
+++ b/src/user/edit.go
@@ -47,8 +47,8 @@ func HandleEdit(w http.ResponseWriter, r *http.Request) {
 
 			if data.Form.Name == "" {
 				data.MessageA = "Username cannot be empty"
-			} else if slices.Contains(goit.Reserved, data.Form.Name) && user.Id != 0 {
-				data.MessageA = "Username \"" + data.Form.Name + "\" is reserved"
+			} else if slices.Contains(goit.Reserved, data.Form.Name) && user.Id != 0 || !goit.IsLegal(data.Form.Name) {
+				data.MessageA = "Username \"" + data.Form.Name + "\" is illegal"
 			} else if exists, err := goit.UserExists(data.Form.Name); err != nil {
 				log.Println("[/user/edit]", err.Error())
 				goit.HttpError(w, http.StatusInternalServerError)