Constraints on usernames, and a login discrepancy between forum and main site
(1) By lvh on 2022-01-30 20:33:52 [source]
On the main https://fossil-scm.org site, I was able to register with username lvh___. I could not use lvh because the main site requires user names with a minimum of 3 characters. However, when I visited the forum at https://fossil-scm.org/forum/ I was logged out, and surprised to find my login for the main site did not work. Apparently I had already signed up to the forum with a user name of lvh; I discovered this as it told me my email address was already in use when I attempted to create a user. This was surprising to me, because I understood one of the touted advantages of the builtin forum to be a form of unified user management. Is this a specific limitation of the fossil-scm.org setup? Judging by the commit history I think I may have accidentally found myself on opposite sides of this commit further restricting user names, combined with an unexpected separation between the main Fossil instance and its forum. If an administrator would be so kind as to change my fossil-scm.org username to lvh (which I thought I also owned -- but apparently I was mistaken?), I would be much obliged.
Ironically I wanted to log in to the forum to ask a related question: what, if any, are the concrete constraints on user names? Currently, usernames seem to be approximately [A-Za-z0-9.-_]{6,} based on login.c. I am considering trying Fossil with federated usernames via a SAML/OIDC proxy and REMOTE_USER. As a consequence, the usernames may have all sorts of weird characters in them, though one would generally expect them to look like an email address; just user@domain.tld, not Cameron Doe <cdoe@example.com> or anything). This seems like it would have consequences for escaping. Given that the requirements have changed before, can I count on [A-Za-z0-9.-_] working everywhere, and any potential escaping issues being squarely the skin's fault?
Thanks!
(2) By Stephan Beal (stephan) on 2022-01-30 20:48:40 in reply to 1 [link] [source]
However, when I visited the forum at https://fossil-scm.org/forum/ I was logged out, and surprised to find my login for the main site did not work.
This project hosts its code and forum in two separate repositories, probably (just speculating) because it was the first-ever forum of its kind and it made sense to keep them separate while the bugs were worked out.
Is this a specific limitation of the fossil-scm.org setup?
Yes. If you look at /forum/timeline, for example, you won't see any checkins because this one is a forum-only repository.
If an administrator would be so kind as to change my fossil-scm.org username to lvh (which I thought I also owned -- but apparently I was mistaken?), I would be much obliged.
Please email me (← note the link) from the email address you entered for the account and i'll get it renamed.
Ironically I wanted to log in to the forum to ask a related question: what, if any, are the concrete constraints on user names?
The constraints differ depending on whether they're being applied via self-registration or the user editor (via an admin) or the CLI. As seen in the link you posted, self-registration requires at least 6 digits. In practice, self registration is uncommon. Mostly of the time an admin explicitly sets up users for a repository, and they are not constrained that way. As you can see in this repository, we have some users with 2- or 3-character names.
i've been told that using email addresses works fine for fossil login names, but i've never tried it myself.
I am considering trying Fossil with federated usernames via a SAML/OIDC proxy and REMOTE_USER.
If you add the users to the repo via the admin interface or CLI, fossil won't (AFAIK) stop them from logging in just because they have unusual names. With a cursory glance i don't see any logic in login.c which restricts the range of login names. The self-registration process, however, is more restrictive.