From 4b69d64db2915ab76303798c3f610e4b6e011cff Mon Sep 17 00:00:00 2001
From: Eliot Berriot <contact@eliotberriot.com>
Date: Sat, 24 Mar 2018 20:31:36 +0100
Subject: [PATCH] Fix #139: We now restrict some usernames from being used
 during signup

---
 api/config/settings/common.py       |  9 +++++++++
 api/tests/users/test_views.py       | 17 +++++++++++++++++
 changes/changelog.d/139.enhancement |  1 +
 3 files changed, 27 insertions(+)
 create mode 100644 changes/changelog.d/139.enhancement

diff --git a/api/config/settings/common.py b/api/config/settings/common.py
index 077566d1c..2c72865f6 100644
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@@ -385,3 +385,12 @@ CSRF_USE_SESSIONS = True
 
 # Playlist settings
 PLAYLISTS_MAX_TRACKS = env.int('PLAYLISTS_MAX_TRACKS', default=250)
+
+ACCOUNT_USERNAME_BLACKLIST = [
+    'funkwhale',
+    'root',
+    'admin',
+    'owner',
+    'superuser',
+    'staff',
+] + env.list('ACCOUNT_USERNAME_BLACKLIST', default=[])
diff --git a/api/tests/users/test_views.py b/api/tests/users/test_views.py
index 02b903bf4..4be586965 100644
--- a/api/tests/users/test_views.py
+++ b/api/tests/users/test_views.py
@@ -23,6 +23,23 @@ def test_can_create_user_via_api(preferences, client, db):
     assert u.username == 'test1'
 
 
+def test_can_restrict_usernames(settings, preferences, db, client):
+    url = reverse('rest_register')
+    preferences['users__registration_enabled'] = True
+    settings.USERNAME_BLACKLIST = ['funkwhale']
+    data = {
+        'username': 'funkwhale',
+        'email': 'contact@funkwhale.io',
+        'password1': 'testtest',
+        'password2': 'testtest',
+    }
+
+    response = client.post(url, data)
+
+    assert response.status_code == 400
+    assert 'username' in response.data
+
+
 def test_can_disable_registration_view(preferences, client, db):
     url = reverse('rest_register')
     data = {
diff --git a/changes/changelog.d/139.enhancement b/changes/changelog.d/139.enhancement
new file mode 100644
index 000000000..c6648d139
--- /dev/null
+++ b/changes/changelog.d/139.enhancement
@@ -0,0 +1 @@
+We now restrict some usernames from being used during signup (#139)
-- 
GitLab