Disallow usernames starting with admin or root. Allow digits.

1 files changed, 16 insertions, 1 deletions

diff --git a/utils.py b/utils.py
index 24a17b2..573345d 100644
--- a/utils.py
+++ b/utils.py
@@ -10,14 +10,17 @@ from Crypto.Cipher import AES
 from email.mime.text import MIMEText
 from functools import wraps
 from flask import current_app, flash, g, redirect, render_template, request, session, url_for
+from flask.ext.wtf import ValidationError
 from hashlib import sha1
 from random import randint
 from time import time
 from werkzeug.exceptions import Forbidden
+from wtforms.validators import Regexp
 
 
 
-_username_re = re.compile(r'^[-a-zA-Z]{2,16}')
+_username_re = re.compile(r'^[a-zA-Z][a-zA-Z0-9-]{1,15}')
+_username_exclude_re = re.compile(r'^(admin|root)')
 
 # using http://flask.pocoo.org/docs/patterns/viewdecorators/
 def templated(template=None):
@@ -212,3 +215,15 @@ def send_register_confirmation_mail(username, mail):
 
     send_mail(mail, u'E-Mail-Adresse bestätigen', body,
               sender=current_app.config.get('MAIL_CONFIRM_SENDER'))
+
+
+class NotRegexp(Regexp):
+    """
+    Like wtforms.validators.Regexp, but rejects data that DOES match the regex.
+    """
+    def __call__(self, form, field):
+        if self.regex.match(field.data or u''):
+            if self.message is None:
+                self.message = field.gettext(u'Invalid input.')
+
+            raise ValidationError(self.message)