From 2f4383eef77da7dbefd5a9671e60ef5f9d78dd4e Mon Sep 17 00:00:00 2001
From: "byte[]" <byteslice@airmail.cc>
Date: Mon, 1 Nov 2021 15:32:01 +0100
Subject: [PATCH] fix security flaw in usernames

---
 lib/philomena/users/user.ex | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/philomena/users/user.ex b/lib/philomena/users/user.ex
index e5d15e77..3a4ee253 100644
--- a/lib/philomena/users/user.ex
+++ b/lib/philomena/users/user.ex
@@ -155,6 +155,7 @@ defmodule Philomena.Users.User do
 
   defp validate_name(changeset) do
     changeset
+    |> update_change(:name, &String.trim/1)
     |> validate_required([:name])
     |> validate_length(:name, max: 50)
   end
@@ -283,6 +284,7 @@ defmodule Philomena.Users.User do
     ])
     |> validate_required([:name, :email, :role])
     |> validate_inclusion(:role, ["user", "assistant", "moderator", "admin"])
+    |> validate_name()
     |> put_assoc(:roles, roles)
     |> put_slug()
     |> unique_constraints()
@@ -379,8 +381,8 @@ defmodule Philomena.Users.User do
 
     user
     |> cast(attrs, [:name])
-    |> validate_required([:name])
-    |> put_slug
+    |> validate_name()
+    |> put_slug()
     |> unique_constraints()
     |> put_change(:last_renamed_at, now)
   end