From 5e5b283daf245c331d409a36a19a6834a62c4090 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Wed, 19 Dec 2018 21:26:13 -0500
Subject: [PATCH] Validate username in admin user creation process

This runs usernames through the same checks as the web interface,
ensuring no invalid user is created, such as user_name or userName.

This closes #49
---
 app.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/app.go b/app.go
index 97aa7c6..f48b28e 100644
--- a/app.go
+++ b/app.go
@@ -26,6 +26,7 @@ import (
 	"github.com/writeas/web-core/auth"
 	"github.com/writeas/web-core/converter"
 	"github.com/writeas/web-core/log"
+	"github.com/writeas/writefreely/author"
 	"github.com/writeas/writefreely/config"
 	"github.com/writeas/writefreely/page"
 )
@@ -508,6 +509,21 @@ func adminCreateUser(app *app, credStr string, isAdmin bool) {
 	username := creds[0]
 	password := creds[1]
 
+	// Normalize and validate username
+	desiredUsername := username
+	username = getSlug(username, "")
+
+	usernameDesc := username
+	if username != desiredUsername {
+		usernameDesc += " (originally: " + desiredUsername + ")"
+	}
+
+	if !author.IsValidUsername(app.cfg, username) {
+		log.Error("Username %s is invalid, reserved, or shorter than configured minimum length (%d characters).", usernameDesc, app.cfg.App.MinUsernameLen)
+		os.Exit(1)
+	}
+
+	// Hash the password
 	hashedPass, err := auth.HashPass([]byte(password))
 	if err != nil {
 		log.Error("Unable to hash password: %v", err)