Uppercase letters in username break reachable mention check in composer

RGJ · April 22, 2026, 9:26pm

Nice find @thoka !

The problem is here

app/controllers/composer_controller.rb

main


      
                raise Discourse::InvalidParameters.new(:allowed_names)
              end
              params[:allowed_names] << current_user.username
            else
              []
            end
          
          user_reasons = {}
          group_reasons = {}
          @names.each do |name|
            if user = users[name]
              reason = user_reason(user)
              user_reasons[name] = reason if reason.present?
            elsif group = groups[name]
              reason = group_reason(group)
              group_reasons[name] = reason if reason.present?
            end
          end
          
          if @topic && @names.include?(SiteSetting.here_mention) && guardian.can_mention_here?
            here_count =

users returns {"username_lower" => User object }

However if name is not downcased, users[name] does not exist.

Fix:

if user = users[name.downcase]
...
elsif group = groups[name.downcase]
...

Or better: downcase all names at the start of the method because there are a lot of issues in there, groups nicely does .where("lower(name) IN (?)", @names.map(&:downcase)) but functions like visible_group_ids_for_allowed_check, topic_allowed_group_ids, mentionable_group_ids and members_visible_group_ids all do where(name: @names) which introduces case sensitivity issues as well.

Topic		Replies	Views
Preview is changing casing of @ mentions Bug	2	887	June 15, 2015
Rich editor misses usernames with umlauts Bug composer	4	199	August 1, 2025
Unicode username with Σ as the final char leads to an error loading profile page Bug	36	2334	February 23, 2021
Discobot case-sensitive mentions Bug	3	602	May 7, 2019
Capitalization does not match when you open user cards using mentions Bug	13	1023	May 3, 2022

Uppercase letters in username break reachable mention check in composer

Related topics