Username_no_double_special Any reason to enforce it?


(Crosseye Jack) #1

Hey, we are planning to use Discourse linked with sign in from an outside oauth. The thing is some of our existing users have 2 or more “special” chars in their username and username_no_double_special is trying to remove the extra.

So before I hack the forum to bits to remove “username_no_double_special” is there any security reason (or any other reason) for it to remove the extra special chars or is it just to make usernames look nicer?

EDIT: to bits I mean just remove the call from username_validator.rb for now, and maybe later put a switch in admin to allow the feature or not.

EDIT2: guess I will have to modify sanitize_username too.


(Jeff Atwood) #2

Discourse has fairly strict rules on usernames, I don’t recommend relaxing that as a lot of downstream stuff may break. If you need unicode or other unusual characters, put them in the “Full Name” field – that’s what it is for.


(Crosseye Jack) #3

The problem with that (for our use case) is a) we will need to store the username they use to log in with on the site that we will be using for oauth to do other checks down the road. b) as far as I can see discourse allows users to set their “full name”.

So even if I force set it during account creation they can change it later (unless I missed something in the settings) so I will prob have to mod discourse to for set “can_edit_name” on users.

We don’t need unicode in the username as the site we are using for oauth doesn’t allow unicode in their usernames.

EDIT: Though I can prob do that in the oauth plugin we are writting to handle setting can_edit_name on users during account creation/login.


(Jeff Atwood) #4

Yes, it is OK to turn off editing of usernames if the SSO scheme requires them to match.


(Rafael dos Santos Silva) #5

We also store external_id for SSO logins, that may help you.