Fix #139: We now restrict some usernames from being used during signup

4b69d64d · Eliot Berriot · ae651903 · 4b69d64d · 4b69d64d · 4b69d64d
Verified Commit 4b69d64d authored 7 years ago by Eliot Berriot
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@@ -385,3 +385,12 @@ CSRF_USE_SESSIONS = True

 # Playlist settings
 PLAYLISTS_MAX_TRACKS = env.int('PLAYLISTS_MAX_TRACKS', default=250)
+
+ACCOUNT_USERNAME_BLACKLIST = [
+    'funkwhale',
+    'root',
+    'admin',
+    'owner',
+    'superuser',
+    'staff',
+] + env.list('ACCOUNT_USERNAME_BLACKLIST', default=[])
--- a/api/tests/users/test_views.py
+++ b/api/tests/users/test_views.py
@@ -23,6 +23,23 @@ def test_can_create_user_via_api(preferences, client, db):
    assert u.username == 'test1'


+def test_can_restrict_usernames(settings, preferences, db, client):
+    url = reverse('rest_register')
+    preferences['users__registration_enabled'] = True
+    settings.USERNAME_BLACKLIST = ['funkwhale']
+    data = {
+        'username': 'funkwhale',
+        'email': 'contact@funkwhale.io',
+        'password1': 'testtest',
+        'password2': 'testtest',
+    }
+
+    response = client.post(url, data)
+
+    assert response.status_code == 400
+    assert 'username' in response.data
+
+
 def test_can_disable_registration_view(preferences, client, db):
    url = reverse('rest_register')
    data = {

--- a/changes/changelog.d/139.enhancement
+++ b/changes/changelog.d/139.enhancement
+We now restrict some usernames from being used during signup (#139)