dont accept invalid characters in username. fixes #1

luncho/blueprints/users.py

@@ -40,6 +40,22 @@ class UsernameAlreadyExistsException(LunchoException):
         self.message = 'Username already exists'
 
 
+class InvalidUsernameException(LunchoException):
+    """The chosen username has invalid characters.
+
+    .. sourcecode:: http
+
+       HTTP/1.1 406 Not Acceptable
+       Content-Type: application/json
+
+       { "status": "ERROR": "message": "Invalid characters in username" }
+    """
+    def __init__(self):
+        super(InvalidUsernameException, self).__init__()
+        self.status = 406
+        self.message = 'Invalid characters in username'
+
+
 @users.route('', methods=['POST'])
 @ForceJSON(required=['username', 'full_name', 'password'])
 def create_user():
@@ -63,10 +79,16 @@ def create_user():
        { "status": "OK" }
 
     :statuscode 200: Success
+    :statuscode 406: Invalid characters in username
+        (:py:class:`InvalidUsernameException`)
     :statuscode 409: Username already exists
         (:py:class:`UsernameAlreadyExistsException`)
     """
     json = request.get_json(force=True)
+    invalid_characters = ' !@#$%^&*()|[]{}/\\\'"`~"'
+    for char in invalid_characters:
+        if char in json['username']:
+            raise InvalidUsernameException()
 
     try:
         new_user = User(username=json['username'],

tests/users_tests.py

@@ -47,6 +47,14 @@ class TestUsers(LunchoTests):
         self.assertJsonError(rv, 400, 'Missing fields', fields=['username',
                                                                 'full_name'])
 
+    def test_invalid_characters(self):
+        """Create a user with invalid characters."""
+        request = {'username': "user'",
+                   'full_name': 'invalid',
+                   'password': 'hash'}
+        rv = self.post('/user/', data=request)
+        self.assertJsonError(rv, 406, 'Invalid characters in username')
+
 
 class TestExistingUsers(LunchoTests):
     """Tests for existing users."""