a few places where user-supplied username should be matched without case-sensitivity

author: Richard Jones <richard@mechanicalcat.net> 2013-07-12 09:55:06 +1000
committer: Richard Jones <richard@mechanicalcat.net> 2013-07-12 09:55:06 +1000
commit: 456a1d2782f6224079079ec7730d3547ef4f09d2 (patch)
tree: 83be152c11a9bc0eec483a638749eba1945eae0b
parent: 28f1006d60c998b686537efaf704fb71b7bee982 (diff)
download: decorator-456a1d2782f6224079079ec7730d3547ef4f09d2.tar.gz
2 files changed, 16 insertions, 8 deletions
diff --git a/store.py b/store.py
index 37d05c1..16e0967 100644
--- a/store.py
+++ b/store.py
@@ -1572,15 +1572,20 @@ class Store:
         return otk
 
     _User = FastResultRow('name password email gpg_keyid last_login!')
-    def get_user(self, name):
+    def get_user(self, name, case_sensitive=True):
         ''' Retrieve info about the user from the database.
 
             Returns a mapping with the user info or None if there is no
             such user.
         '''
         cursor = self.get_cursor()
-        safe_execute(cursor, '''select name, password, email, gpg_keyid, last_login
-            from users where name=%s''', (name,))
+        if case_sensitive:
+            sql = '''select name, password, email, gpg_keyid, last_login
+                from users where name=%s'''
+        else:
+            sql = '''select name, password, email, gpg_keyid, last_login
+                from users where lower(name)=lower(%s)'''
+        safe_execute(cursor, , (name,))
         return self._User(None, cursor.fetchone())
 
     def get_user_by_email(self, email):
@@ -1686,11 +1691,14 @@ class Store:
         safe_execute(self.get_cursor(), "delete from rego_otk where otk=%s",
                      (otk,))
 
-    def get_otk(self, name):
+    def get_otk(self, username):
         ''' Retrieve the One Time Key for the user.
+
+        Username must be a case-sensitive match.
         '''
         cursor = self.get_cursor()
-        safe_execute(cursor, "select otk from rego_otk where name=%s", (name, ))
+        safe_execute(cursor, 'select otk from rego_otk where name=%s',
+            (username, ))
         res = cursor.fetchone()
         if res is None:
             return ''
diff --git a/webui.py b/webui.py
index 45fd532..f7c11d0 100644
--- a/webui.py
+++ b/webui.py
@@ -662,7 +662,7 @@ class WebUI:
             return
 
         # Fetch the user from the database
-        user = self.store.get_user(un)
+        user = self.store.get_user(un, case_sensitive=False)
 
         # Verify the hash, and see if it needs migrated
         ok, new_hash = self.config.passlib.verify_and_update(pw, user["password"])
@@ -2995,12 +2995,12 @@ class WebUI:
             self.write_template("password_reset.pt",
                 title="Request password reset", retry=True)
 
-        user = self.store.get_user(name)
+        user = self.store.get_user(name, case_sensitive=False)
         # typically other systems would not indicate the username is invalid
         # but in PyPI's case the username list is public so this is more
         # user-friendly with no security penalty
         if not user:
-            self.fail('user name unknown to me')
+            self.fail('user "%s" unknown to me' % name)
             return
 
         # existing registration OTK?
author	Richard Jones <richard@mechanicalcat.net>	2013-07-12 09:55:06 +1000
committer	Richard Jones <richard@mechanicalcat.net>	2013-07-12 09:55:06 +1000
commit	456a1d2782f6224079079ec7730d3547ef4f09d2 (patch)
tree	83be152c11a9bc0eec483a638749eba1945eae0b
parent	28f1006d60c998b686537efaf704fb71b7bee982 (diff)
download	decorator-456a1d2782f6224079079ec7730d3547ef4f09d2.tar.gz