Improve the maintainblity of the reserved username list (#32229)

(cherry picked from commit 6029d78ab5006e8fb4f42adb5a8c491f19fa7b0a) Conflicts: models/user/user.go services/user/user_test.go trivial context conflict tests/integration/user_test.go discarded entirely because dot may be allowed in Forgejo under some conditions
2024-10-13 10:13:04 +03:00 · 2024-10-13 10:13:04 +03:00 · 7855e4bb56
commit 7855e4bb56
parent eff28911d3
3 changed files with 39 additions and 46 deletions
--- a/models/user/user.go
+++ b/models/user/user.go
@ -586,44 +586,46 @@ var (
 		".",
 		"..",
 		".well-known",
-		"admin",
-		"api",
-		"assets",
-		"attachments",
-		"avatar",
-		"avatars",
-		"captcha",
-		"commits",
-		"debug",
-		"devtest",
-		"error",
-		"explore",
-		"favicon.ico",
-		"ghost",
-		"issues",
-		"login",
-		"manifest.json",
-		"metrics",
-		"milestones",
-		"new",
-		"notifications",
-		"org",
-		"pulls",
-		"raw",
-		"repo",
+
+		"api",     // gitea api
+		"metrics", // prometheus metrics api
+		"v2",      // container registry api
+
+		"assets",      // static asset files
+		"attachments", // issue attachments
+
+		"avatar",  // avatar by email hash
+		"avatars", // user avatars by file name
 		"repo-avatars",
-		"robots.txt",
-		"search",
-		"serviceworker.js",
-		"ssh_info",
+
+		"captcha",
+		"login", // oauth2 login
+		"org",   // org create/manage, or "/org/{org}", BUT if an org is named as "invite" then it goes wrong
+		"repo",  // repo create/migrate, etc
+		"user",  // user login/activate/settings, etc
+
+		"admin",
+		"devtest",
+		"explore",
+		"issues",
+		"pulls",
+		"milestones",
+		"notifications",
+
+		"favicon.ico",
+		"manifest.json", // web app manifests
+		"robots.txt",    // search engine robots
+		"sitemap.xml",   // search engine sitemap
+		"ssh_info",      // agit info
 		"swagger.v1.json",
-		"user",
-		"v2",
-		"gitea-actions",
-		"forgejo-actions",
+
+		"ghost",           // reserved name for deleted users (id: -1)
+		"gitea-actions",   // gitea builtin user (id: -2)
+		"forgejo-actions", // forgejo builtin user (id: -2)
 	}

-	// DON'T ADD ANY NEW STUFF, WE SOLVE THIS WITH `/user/{obj}` PATHS!
+	// These names are reserved for user accounts: user's keys, user's rss feed, user's avatar, etc.
+	// DO NOT add any new stuff! The paths with these names are processed by `/{username}` handler (UsernameSubRoute) manually.
 	reservedUserPatterns = []string{"*.keys", "*.gpg", "*.rss", "*.atom", "*.png"}
 )

--- a/services/user/user_test.go
+++ b/services/user/user_test.go
@ -114,12 +114,10 @@ func TestRenameUser(t *testing.T) {
 	})

 	t.Run("Non usable username", func(t *testing.T) {
-		usernames := []string{"--diff", "aa.png", ".well-known", "search", "aaa.atom"}
+		usernames := []string{"--diff", ".well-known", "gitea-actions", "aaa.atom", "aa.png"}
 		for _, username := range usernames {
-			t.Run(username, func(t *testing.T) {
-				require.Error(t, user_model.IsUsableUsername(username))
-				require.Error(t, RenameUser(db.DefaultContext, user, username))
-			})
+			require.Error(t, user_model.IsUsableUsername(username), "non-usable username: %s", username)
+			require.Error(t, RenameUser(db.DefaultContext, user, username), "non-usable username: %s", username)
 		}
 	})

--- a/tests/integration/user_test.go
+++ b/tests/integration/user_test.go
@ -114,10 +114,7 @@ func TestRenameReservedUsername(t *testing.T) {
 		"avatar",
 		"avatars",
 		"captcha",
-		"commits",
-		"debug",
 		"devtest",
-		"error",
 		"explore",
 		"favicon.ico",
 		"ghost",
@ -126,16 +123,12 @@ func TestRenameReservedUsername(t *testing.T) {
 		"manifest.json",
 		"metrics",
 		"milestones",
-		"new",
 		"notifications",
 		"org",
 		"pulls",
-		"raw",
 		"repo",
 		"repo-avatars",
 		"robots.txt",
-		"search",
-		"serviceworker.js",
 		"ssh_info",
 		"swagger.v1.json",
 		"user",