username allowed characters

svhb at telenet.be svhb at telenet.be
Wed Feb 22 09:34:08 UTC 2023


Hi Mads, 

I don't have issues with emails and usernames in different namespaces. It is not my intention to use the "username" as email address, lets keep them indeed separate. It is just problematic that the username in my case also looks like an email address (with '@') 

As it happens, our IT-dept has a hard request to use the email to login in systems, so I need to use the email as "Login Attribute" for LDAPS (the AD attribute is called userPrincipleName but I don't know if that is a standard), no problem here. The "Email Attribute" just gets the same data, so for Kallithea, the mail address is still a different variable, but probably with the same content. 
To complicate things further, this 'userPrincipleName' can be an email-address on a different domain, than the standard 'Email Attribute' for a specific user, in this case the Email is different than the login. 

The issue arises when I want to change a setting on a user (for example make someone admin), then the earlier 'valid' username is not valid anymore. Hence, the little hack, just allow a slightly more flexible rule to validate the username. 

Cheers, 

Stefaan 




Van: "Mads Kiilerich" <mads at kiilerich.com> 
Aan: "vanheesbeke stefaan" <svhb at telenet.be>, "kallithea-general" <kallithea-general at sfconservancy.org> 
Verzonden: Dinsdag 21 februari 2023 15:25:10 
Onderwerp: Re: username allowed characters 

Hi 

Thank you. 

But ... 

Kallithea generally tries to keep logins and emails unambiguous and in different namespaces. It is arguably a bug if Kallithea allows LDAP to use email addresses as usernames. 

The assumption is probably not entirely enforced, but it and the consequences show up for example in get_by_username_or_email . 

If allowing @ in usernames, it should perhaps be enforced that it only is allowed if it matches the email ... but that seems like a hack that would be hard to enforce and not really feasible. 

But it is already generally possible to login with email instead of username. Perhaps that doesn't work with LDAP? Can you set attr_login to point at the email attribute? Or does that have other bad consequences? Something that could be fixed instead? 

/Mads 


On 21/02/2023 12:03, [ mailto:svhb at telenet.be | svhb at telenet.be ] wrote: 



Hello, 

I'm using LDAP to authenticate users to our system. Out IT-dept hammers on the fact that we need to use the email-address of users to login. 

The login works ok, but when I want to change the settings for a certain user, it complains about a '@' in the user name.A simple patch during docker build solved this issue. 

Since email addresses are used regularly for logging in, maybe this can be also in the next version of Kallithea. 


Simply said : just adding @ to the regexp for username does the job. 

--- validators.py 2023-02-21 10:25:27.657212999 +0000 
+++ validators_new.py 2023-02-21 10:26:40.560218089 +0000 
@@ -92,7 +92,7 @@ 
msg = self.message('username_exists', state, username=value) 
raise formencode.Invalid(msg, value, state) 

- if re.match(r'^[a-zA-Z0-9\_]{1}[a-zA-Z0-9\-\_\.]*$', value) is None: 
+ if re.match(r'^[a-zA-Z0-9\_]{1}[a-zA-Z0-9\-\_\.@]*$', value) is None: 
msg = self.message('invalid_username', state) 
raise formencode.Invalid(msg, value, state) 
return _validator 

Cheers, 
Stefaan 


BTW : this is the best package I encountered since bitbucket stopped with Hg. 


_______________________________________________
kallithea-general mailing list [ mailto:kallithea-general at sfconservancy.org | kallithea-general at sfconservancy.org ] [ https://lists.sfconservancy.org/mailman/listinfo/kallithea-general | https://lists.sfconservancy.org/mailman/listinfo/kallithea-general ] 






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20230222/3997d657/attachment.html>


More information about the kallithea-general mailing list