disallow uppercase usernames in the first place. also Record::str2time_sql_closing snuck in.

2 files changed, 47 insertions, 5 deletions

diff --git a/FS/FS/Record.pm b/FS/FS/Record.pm
index 703c06f..db94003 100644
--- a/FS/FS/Record.pm
+++ b/FS/FS/Record.pm
@@ -1555,6 +1555,20 @@ sub ut_alphan {
   '';
 }
 
+=item ut_alpha_lower COLUMN
+
+Check/untaint lowercase alphanumeric strings (no spaces).  May not be null.  If
+there is an error, returns the error, otherwise returns false.
+
+=cut
+
+sub ut_alpha_lower {
+  my($self,$field)=@_;
+  $self->getfield($field) =~ /[[:upper:]]/
+    and return "Uppercase characters are not permitted in $field";
+  $self->ut_alpha($field);
+}
+
 =item ut_phonen COLUMN [ COUNTRY ]
 
 Check/untaint phone numbers.  May be null.  If there is an error, returns
@@ -2238,9 +2252,9 @@ sub DESTROY { return; }
 =item str2time_sql [ DRIVER_NAME ]
 
 Returns a function to convert to unix time based on database type, such as
-"EXTRACT( EPOCH FROM" for Pg or "UNIX_TIMESTAMP(" for mysql.  You are
-responsible for the closing parenthesis yourself.  Don't let it down.  It's a
-sensitive parenthesis.
+"EXTRACT( EPOCH FROM" for Pg or "UNIX_TIMESTAMP(" for mysql.  See
+the str2time_sql_closing method to return a closing string rather than just
+using a closing parenthesis as previously suggested.
 
 You can pass an optional driver name such as "Pg", "mysql" or
 $dbh->{Driver}->{Name} to return a function for that database instead of
@@ -2260,6 +2274,24 @@ sub str2time_sql {
 
 }
 
+=item str2time_sql_closing [ DRIVER_NAME ]
+
+Returns the closing suffix of a function to convert to unix time based on
+database type, such as ")::integer" for Pg or ")" for mysql.
+
+You can pass an optional driver name such as "Pg", "mysql" or
+$dbh->{Driver}->{Name} to return a function for that database instead of
+the current database.
+
+=cut
+
+sub str2time_sql_closing { 
+  my $driver = shift || driver_name;
+
+  return ' )::INTEGER ' if $driver =~ /^Pg/i;
+  return ' ) ';
+}
+
 =back
 
 =head1 BUGS
diff --git a/FS/FS/access_user.pm b/FS/FS/access_user.pm
index 250e432..a755daf 100644
--- a/FS/FS/access_user.pm
+++ b/FS/FS/access_user.pm
@@ -90,6 +90,9 @@ otherwise returns false.
 sub insert {
   my $self = shift;
 
+  my $error = $self->check;
+  return $error if $error;
+
   local $SIG{HUP} = 'IGNORE';
   local $SIG{INT} = 'IGNORE';
   local $SIG{QUIT} = 'IGNORE';
@@ -101,7 +104,7 @@ sub insert {
   local $FS::UID::AutoCommit = 0;
   my $dbh = dbh;
 
-  my $error = $self->htpasswd_kludge();
+  $error = $self->htpasswd_kludge();
   if ( $error ) {
     $dbh->rollback or die $dbh->errstr if $oldAutoCommit;
     return $error;
@@ -111,7 +114,14 @@ sub insert {
 
   if ( $error ) {
     $dbh->rollback or die $dbh->errstr if $oldAutoCommit;
+
+    #make sure it isn't a dup username?  or you could nuke people's passwords
+    #blah.  really just should do our own login w/cookies
+    #and auth out of the db in the first place
+    #my $hterror = $self->htpasswd_kludge('-D');
+    #$error .= " - additionally received error cleaning up htpasswd file: $hterror"
     return $error;
+
   } else {
     $dbh->commit or die $dbh->errstr if $oldAutoCommit;
     '';
@@ -236,7 +246,7 @@ sub check {
 
   my $error = 
     $self->ut_numbern('usernum')
-    || $self->ut_alpha('username')
+    || $self->ut_alpha_lower('username')
     || $self->ut_text('_password')
     || $self->ut_text('last')
     || $self->ut_text('first')