Most static routes in the
/user) path haven’t been fully protected against interference with the
/u/:username path structure.
/u/account-created) has been protected. It has a
url re-write exception (i.e. to prevent
/u/account-createdbeing rewritten to
- appears by default in the
However the rest of the static routes in the
/u/ path have not. For example, you can register
password-reset as a username, but when you try to go to your profile you see:
The same applies for all the server routes in the
/u/ path apart from
For most of these you get a 404 error if you use it as a username and then try to go to your profile.
This is a relatively minor issue as it is highly unlikely these static path names will be used as usernames, but it is still technically a ‘bug’.
In addition to protecting these other static routes, you may want to consider whether it makes sense to use a site setting to prevent people using static
/u/ routes as a username.
There are no circumstances in which you can change this setting and not create the issues mentioned above, unless you also change the static routes themselves. The static routes are hardcoded, so the username exceptions should probably also be hardcoded.