Groups can be given same name as existing username

I just came across this on my site - it is indeed possible to create a group with the same name as an existing username. Chaos ensues.

(Actually, not sure about the chaos - we had this situation for months before I noticed it today)

7 Likes

I think the reverse is also true, @tgxworld can you add this to your list, we definitely want to sort it out so usernames and groups can never share the same name.

8 Likes

I’ve added the missing server side validations for now in

https://github.com/discourse/discourse/commit/221503cd10d1421f1a0e02931c034d6cd468e57c

@sam I’m unsure about how we should proceed here with regards to the database constraints though, do you think it is worth extracting User#username and Group#name into a separate table? Those two columns are used frequently so having to join on another table might be expensive. Instead of splitting into another table, I was thinking of treating Group#name as having a lower priority than User#username. We’ll just run a periodic job that ensures that no group names would clash with a user. If someone manages to sneak a group named
test past our server side validations when a user test already exists, the job would just rename the group to test1.

5 Likes

3 posts were split to a new topic: Add support for Groups and Usernames that completely overlap

I am assuming this is now sorted, so I am closing it.

3 Likes