Usernames in admin URLs cause routing problems

fefrei · August 6, 2015, 11:21am

In some places, usernames are used as part of URLs, for example in admin/users/<username>. Some usernames can therefore cause routing issues:

Register a user list.
Login as the administrator, go to the users list, open the details for this user.
Notice that you are on admin/users/list.
Reload the page. You get to the list of all users, since admin/users/list actually matches this route.

Many other URLs like users/account-created are safe, since - cannot be part of a username.

Here, this is only a small annoyance. I’m not sure whether there are more interesting cases where a similar problem can be triggered, though.

codinghorror · August 7, 2015, 2:02am

I will add list to the blocked usernames. Any others?

sam · August 7, 2015, 2:05am

we really should stop with the “fancy” url thing in admin… /admin/users/1/sam … is a perfectly fine URL for an admin interface, plus knowing the user_id is actually handy sometimes when it comes to admin tasks.

fefrei · August 7, 2015, 7:12am

I’m really with @sam in this case:

So far, the blocked usernames only contain confusing usernames (that look official or unintentional), not ones that break the system.
This list is admin-editable, nothing is preventing the admin from removing entries. This would have non-obvious side effects.
If I understand correctly, changing the default won’t affect systems which already customized the list, for example by adding an entry.
I have a strong feeling that there are more cases like this. I think that account-created is safe only by coincidence, not by careful consideration (“there could be a username here, so let’s add an invalid character…”).

Also, I don’t see the drawback: /admin/users/1/sam is perfectly fine for the admin’s eyes (heck, t/usernames-in-admin-urls-cause-routing-problems/31825 is fine for everyone’s eyes!), still has the slug (which is nice), and even works as a permalink across username changes!
It would also fix some issues for free: For example, after renaming a user, the back-functionality breaks, since the old URLS 404.

codinghorror · August 7, 2015, 7:17am

Yeah, but that takes potentially hours of engineering effort, whereas blacklisting a pointless username like “list” takes me about 30 seconds.

fantasticfears · September 26, 2015, 1:54pm

As working on the Unicode username support, the first step would be relaxing username constraints in routes. And I will also apply /admin/users/1/sam to admin routes.

sam · March 31, 2016, 1:54am

I am pretty sure @fantasticfears submitted a PR to take care of this. My admin username path is now:

https://meta.discourse.org/admin/users/1/sam

Yes, I am #1 just like

Topic		Replies	Views
/admin/users does not route properly bug	2	608	November 12, 2017
Universal User Preferences URL feature	4	763	July 29, 2020
Two bugs with usernames starting with subfolder name bug subfolder	3	717	February 11, 2021
Friendly user profile url support	7	806	December 29, 2021
How to reserve full name like reserved username? support	5	436	May 31, 2023

Usernames in admin URLs cause routing problems

Related Topics