Merge pull request #10 from davewoloszyn/MDL-80849

MDL-80849: Return error if username is numeric
moodlehq · May 7, 2024 · 156d7a2 · 156d7a2
2 parents 087f514 + e991be4
commit 156d7a2
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/application/src/Traits/GeneralTrait.php b/application/src/Traits/GeneralTrait.php
@@ -114,6 +114,23 @@ private function validateRequest(array $requested = [], array $checks = []): arr
                     ], 403);
                     return $response;
                 }
+
+                if ($check === 'user_id') {
+                    $userid = $requested['user_id'];
+                    // Isolate the username from '@username:server'.
+                    $start = strpos($userid, '@');
+                    $end = strpos($userid, ':', $start);
+                    $username = substr($userid, ($start + 1), ($end - $start) - 1);
+                    // Return an error if it is numeric.
+                    if (is_numeric($username)) {
+                        $response['status'] = false;
+                        $response['message'] = new JsonResponse((object) [
+                            'errcode' => 'M_INVALID_USERNAME',
+                            'error' => 'Numeric user IDs are reserved for guest users.'
+                        ], 400);
+                        return $response;
+                    }
+                }
             }
         } else {
             $response['status'] = false;