From 0d47267b2ff4108efe6bd7d98e51bdca757fa90f Mon Sep 17 00:00:00 2001
From: Wes Copeland <wlcopeland1@gmail.com>
Date: Sun, 23 Jun 2024 15:54:54 -0400
Subject: [PATCH 1/4] fix(user): enforce uniqueness on display names

---
 ...06_23_000000_update_useraccounts_table.php | 23 +++++++++++++++++++
 .../views/pages-legacy/userInfo.blade.php     |  2 +-
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 database/migrations/community/2024_06_23_000000_update_useraccounts_table.php

diff --git a/database/migrations/community/2024_06_23_000000_update_useraccounts_table.php b/database/migrations/community/2024_06_23_000000_update_useraccounts_table.php
new file mode 100644
index 0000000000..2ba05b1848
--- /dev/null
+++ b/database/migrations/community/2024_06_23_000000_update_useraccounts_table.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class() extends Migration {
+    public function up(): void
+    {
+        Schema::table('UserAccounts', function (Blueprint $table) {
+            $table->unique('display_name');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('UserAccounts', function (Blueprint $table) {
+            $table->dropUnique(['display_name']);
+        });
+    }
+};
diff --git a/resources/views/pages-legacy/userInfo.blade.php b/resources/views/pages-legacy/userInfo.blade.php
index e2a65e334c..1bdc7a76bb 100644
--- a/resources/views/pages-legacy/userInfo.blade.php
+++ b/resources/views/pages-legacy/userInfo.blade.php
@@ -23,7 +23,7 @@
     abort(400);
 }
 
-$userPageModel = User::firstWhere('User', $userPage);
+$userPageModel = User::where('User', $userPage)->orWhere('display_name', $userPage)->first();
 if (!$userPageModel) {
     abort(404);
 }

From c62b85caee231e675957d7fe8181ce9667c27394 Mon Sep 17 00:00:00 2001
From: Wes Copeland <wlcopeland1@gmail.com>
Date: Sat, 20 Jul 2024 10:22:24 -0400
Subject: [PATCH 2/4] fix: address pr feedback

---
 app/Helpers/util/string.php                     | 12 ++++++++++--
 app/Providers/RouteServiceProvider.php          |  2 +-
 resources/views/pages-legacy/userInfo.blade.php |  2 +-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/app/Helpers/util/string.php b/app/Helpers/util/string.php
index 10f5f840cc..3b0b882eec 100644
--- a/app/Helpers/util/string.php
+++ b/app/Helpers/util/string.php
@@ -1,6 +1,5 @@
 <?php
 
-use App\Support\Rules\CtypeAlnum;
 use Illuminate\Support\Facades\Validator;
 
 function sanitize_outputs(string|int|null &...$outputs): void
@@ -29,11 +28,20 @@ function attributeEscape(?string $input): string
 
 function isValidUsername(?string $username): bool
 {
+    /**
+     * Allows:
+     *   - \p{L}: Any kind of letter from any language.
+     *   - \p{N}: Any kind of numeric character from any script.
+     *   - \s   : Spaces.
+     *   - \-_.  : Hyphens, underscores, and periods.
+     */
+    $allowedPattern = '/^[\p{L}\p{N}\s\-_.]*$/u';
+
     // Note: use request validation where applicable instead of checking the username manually
     // Note: allow 2 character usernames for existing accounts. New accounts are limited to 4.
     return Validator::make(
         ['username' => $username],
-        ['username' => ['min:2', 'max:20', new CtypeAlnum()]]
+        ['username' => ['required', 'min:2', 'max:20', 'regex:' . $allowedPattern]]
     )->passes();
 }
 
diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
index 0fff7e11aa..09383017dc 100755
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@@ -65,7 +65,7 @@ protected function mapWebRoutes(): void
             Route::get('download.php', fn () => $this->handlePageRequest('download'))->name('download.index');
             Route::get('gameList.php', fn () => $this->handlePageRequest('gameList'))->name('game.index');
             Route::get('{path}.php', fn (string $path) => $this->handlePageRequest($path))->where('path', '(.*)');
-            Route::get('user/{user}', fn (string $user) => $this->handlePageRequest('userInfo', $user))->name('user.show');
+            Route::get('user/{user}', fn (string $user) => $this->handlePageRequest('userInfo', urldecode($user)))->name('user.show')->where('user', '.*');
             Route::get('achievement/{achievement}{slug?}', fn ($achievement) => $this->handlePageRequest('achievementInfo', $achievement))->name('achievement.show');
             Route::get('game/{game}{slug?}', fn ($game) => $this->handlePageRequest('gameInfo', $game))->name('game.show');
             Route::get('leaderboard/{leaderboard}{slug?}', fn ($leaderboard) => $this->handlePageRequest('leaderboardinfo', $leaderboard))->name('leaderboard.show');
diff --git a/resources/views/pages-legacy/userInfo.blade.php b/resources/views/pages-legacy/userInfo.blade.php
index 1bdc7a76bb..af26b6e183 100644
--- a/resources/views/pages-legacy/userInfo.blade.php
+++ b/resources/views/pages-legacy/userInfo.blade.php
@@ -28,7 +28,7 @@
     abort(404);
 }
 
-$userMassData = getUserPageInfo($userPage, numGames: $maxNumGamesToFetch);
+$userMassData = getUserPageInfo($userPageModel->username, numGames: $maxNumGamesToFetch);
 if (empty($userMassData)) {
     abort(404);
 }

From 81084f1d9a1188527ec5c3430d3af1f3f395f3d1 Mon Sep 17 00:00:00 2001
From: Wes Copeland <wlcopeland1@gmail.com>
Date: Sat, 20 Jul 2024 10:29:08 -0400
Subject: [PATCH 3/4] fix: use a more restrictive path matching pattern

---
 app/Providers/RouteServiceProvider.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
index 09383017dc..1bc8dbef04 100755
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@@ -65,7 +65,7 @@ protected function mapWebRoutes(): void
             Route::get('download.php', fn () => $this->handlePageRequest('download'))->name('download.index');
             Route::get('gameList.php', fn () => $this->handlePageRequest('gameList'))->name('game.index');
             Route::get('{path}.php', fn (string $path) => $this->handlePageRequest($path))->where('path', '(.*)');
-            Route::get('user/{user}', fn (string $user) => $this->handlePageRequest('userInfo', urldecode($user)))->name('user.show')->where('user', '.*');
+            Route::get('user/{user}', fn (string $user) => $this->handlePageRequest('userInfo', urldecode($user)))->name('user.show')->where('user', '^[^\/#&]+$');
             Route::get('achievement/{achievement}{slug?}', fn ($achievement) => $this->handlePageRequest('achievementInfo', $achievement))->name('achievement.show');
             Route::get('game/{game}{slug?}', fn ($game) => $this->handlePageRequest('gameInfo', $game))->name('game.show');
             Route::get('leaderboard/{leaderboard}{slug?}', fn ($leaderboard) => $this->handlePageRequest('leaderboardinfo', $leaderboard))->name('leaderboard.show');

From 490c76e717682d5f524c800ac707a97c719a7231 Mon Sep 17 00:00:00 2001
From: Wes Copeland <wlcopeland1@gmail.com>
Date: Sat, 20 Jul 2024 10:43:46 -0400
Subject: [PATCH 4/4] fix: revert url support for display_name values

---
 app/Helpers/util/string.php                     | 12 ++----------
 app/Providers/RouteServiceProvider.php          |  2 +-
 resources/views/pages-legacy/userInfo.blade.php |  4 ++--
 3 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/app/Helpers/util/string.php b/app/Helpers/util/string.php
index 3b0b882eec..10f5f840cc 100644
--- a/app/Helpers/util/string.php
+++ b/app/Helpers/util/string.php
@@ -1,5 +1,6 @@
 <?php
 
+use App\Support\Rules\CtypeAlnum;
 use Illuminate\Support\Facades\Validator;
 
 function sanitize_outputs(string|int|null &...$outputs): void
@@ -28,20 +29,11 @@ function attributeEscape(?string $input): string
 
 function isValidUsername(?string $username): bool
 {
-    /**
-     * Allows:
-     *   - \p{L}: Any kind of letter from any language.
-     *   - \p{N}: Any kind of numeric character from any script.
-     *   - \s   : Spaces.
-     *   - \-_.  : Hyphens, underscores, and periods.
-     */
-    $allowedPattern = '/^[\p{L}\p{N}\s\-_.]*$/u';
-
     // Note: use request validation where applicable instead of checking the username manually
     // Note: allow 2 character usernames for existing accounts. New accounts are limited to 4.
     return Validator::make(
         ['username' => $username],
-        ['username' => ['required', 'min:2', 'max:20', 'regex:' . $allowedPattern]]
+        ['username' => ['min:2', 'max:20', new CtypeAlnum()]]
     )->passes();
 }
 
diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
index 1bc8dbef04..0fff7e11aa 100755
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@@ -65,7 +65,7 @@ protected function mapWebRoutes(): void
             Route::get('download.php', fn () => $this->handlePageRequest('download'))->name('download.index');
             Route::get('gameList.php', fn () => $this->handlePageRequest('gameList'))->name('game.index');
             Route::get('{path}.php', fn (string $path) => $this->handlePageRequest($path))->where('path', '(.*)');
-            Route::get('user/{user}', fn (string $user) => $this->handlePageRequest('userInfo', urldecode($user)))->name('user.show')->where('user', '^[^\/#&]+$');
+            Route::get('user/{user}', fn (string $user) => $this->handlePageRequest('userInfo', $user))->name('user.show');
             Route::get('achievement/{achievement}{slug?}', fn ($achievement) => $this->handlePageRequest('achievementInfo', $achievement))->name('achievement.show');
             Route::get('game/{game}{slug?}', fn ($game) => $this->handlePageRequest('gameInfo', $game))->name('game.show');
             Route::get('leaderboard/{leaderboard}{slug?}', fn ($leaderboard) => $this->handlePageRequest('leaderboardinfo', $leaderboard))->name('leaderboard.show');
diff --git a/resources/views/pages-legacy/userInfo.blade.php b/resources/views/pages-legacy/userInfo.blade.php
index af26b6e183..e2a65e334c 100644
--- a/resources/views/pages-legacy/userInfo.blade.php
+++ b/resources/views/pages-legacy/userInfo.blade.php
@@ -23,12 +23,12 @@
     abort(400);
 }
 
-$userPageModel = User::where('User', $userPage)->orWhere('display_name', $userPage)->first();
+$userPageModel = User::firstWhere('User', $userPage);
 if (!$userPageModel) {
     abort(404);
 }
 
-$userMassData = getUserPageInfo($userPageModel->username, numGames: $maxNumGamesToFetch);
+$userMassData = getUserPageInfo($userPage, numGames: $maxNumGamesToFetch);
 if (empty($userMassData)) {
     abort(404);
 }