[Fix] Login via email, prevent Usernames with certain chars

2026-02-16 13:58:06 +01:00
parent 58ab5b33e3
commit 5150027f0d
2 changed files with 29 additions and 5 deletions
--- a/epdb/views.py
+++ b/epdb/views.py
@ -6,7 +6,9 @@ from typing import Any, Dict, List
 import nh3
 from django.conf import settings as s
 from django.contrib.auth import get_user_model
-from django.core.exceptions import BadRequest, PermissionDenied
+from django.contrib.auth.validators import UnicodeUsernameValidator
+from django.core.exceptions import BadRequest, PermissionDenied, ValidationError
+from django.core.validators import validate_email
 from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseNotAllowed, JsonResponse
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
@ -160,14 +162,27 @@ def login(request):

        # Get email for username and check if the account is active
        try:
-            temp_user = get_user_model().objects.get(username=username)
+            # Try username and if it fails check if username is a valid email adress and we'll find a user
+            try:
+                temp_user = get_user_model().objects.get(username=username)
+            except get_user_model().DoesNotExist as e:
+                # validate_email returns None if input is valid -> check for None
+                # Otherwise a ValidationError is raised
+                if validate_email(username) is None:
+                    temp_user = get_user_model().objects.get(email=username)
+                else:
+                    raise e

            if not temp_user.is_active:
                context["message"] = "User account is not activated yet!"
                return render(request, "static/login.html", context)

            email = temp_user.email
-        except get_user_model().DoesNotExist:
+        except (get_user_model().DoesNotExist, ValidationError):
+            context["message"] = "Login failed!"
+            return render(request, "static/login.html", context)
+        except Exception as e:
+            logger.info(f"Uncaught exception while trying to login: {e}")
            context["message"] = "Login failed!"
            return render(request, "static/login.html", context)

@ -230,6 +245,13 @@ def register(request):
            context["message"] = "Invalid username/email/password"
            return render(request, "static/login.html", context)

+        if UnicodeUsernameValidator(username) is not None:
+            context["message"] = (
+                "Enter a valid username. This value may contain only letters, "
+                "numbers, and @/./+/-/_ characters."
+            )
+            return render(request, "static/login.html", context)
+
        if password != rpassword or password == "":
            context["message"] = "Registration failed, provided passwords differ!"
            return render(request, "static/login.html", context)