Umbraco is not validating same way save user and change password

[bielu]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

10.6.1

Bug summary

Bug found as part: #14808

Specifics

No response

Steps to reproduce

1. set UsernameIsEmail to false
2. create user
3. rename user with name containing a space in login
4. try to change password / unlock / disable user
5. you will get notication about username is incorrect

Expected result / actual result

validation is same between save user and change password

[github-actions]

Hi there @bielu!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[andr317c]

Hey!
Thanks a lot for reporting this issue, I was able to reproduce the issue on versions 10.6.1, 10.7.0, and 12.2.0.

What I did was: Set UsernameIsEmail to false in the app settings, and create a user. Change the Username to contain a space and save the user. If I then tried to change the password of the user, I ran into the validation error: Validation: Invalid username. I was able to Disable and Enable the user without any issues. I was also able to log in to the user even though its username contained a space.

I will mark this issue up as an up for grabs! 😄 Please let me know if I missed anything.

[github-actions]

Hi @bielu,

We're writing to let you know that we would love some help with this issue. We feel that this issue is ideal to flag for a community member to work on it. Once flagged here, folk looking for issues to work on will know to look at yours. Of course, please feel free work on this yourself ;-). If there are any changes to this status, we'll be sure to let you know.

For more information about issues and states, have a look at this blog post.

Thanks muchly, from your friendly Umbraco GitHub bot :-)

[Amalie-Wowern]

I will try to look at this

[bielu]

@Amalie-Wowern it is ltitle tricky as Umbraco use .net identity abstraction to validate and when you saving you have Ipublishcontent. :) If you need support about code logic there let me know

[Amalie-Wowern]

@bielu Yes i noticed its a little tricky.
I would love some help about the code logic

[Amalie-Wowern]

If i understand the issue correctly.

The bug is that, when the password is changed its validating the username wrong. It does not take into consideration that the UsernameIsEmail is disabled?

[bielu]

The bug is that, when the password is changed its validating the username wrong. It does not take into consideration that the UsernameIsEmail is disabled?

No. It is related to that when you disable UsernameIsEmail Umbraco doesnt validate in same username as when you change password.

So case 1:

• disable UsernameIsEmail
• Create user with name cointaining space
• Click save
  by default it should fail.

Case 2:

• disable UsernameIsEmail
• setup UserOptions.AllowedUserNameCharacters to allow space
• Create user with name cointaining space
• Click save
  by default it should pass

Case 3:

• disable UsernameIsEmail
• setup UserOptions.AllowedUserNameCharacters to allow space
• Create user with name cointaining space
• Click save
• remove Space from UserOptions.AllowedUserNameCharacters
• Click save - here should fail but it will not
• Click change password
• confirm change of passwor

It will fails as Validation for user name fails. So in case 3 we have the bug from this ticket on Updating user with space when space is not allowed.

[Amalie-Wowern]

Hello @bielu

I have looked into the issue now and tested it a little bit.

It looks like that there are no method for checking if the username contains not allowed characters.

I could not find a method i could use from the update password function

I will stop working on this as i dont think im the right person to create the best check

[jerpenol]

Unfortunately still seeing this in 13.2.2 for Members.

I can add disallowed characters (for example a space or a pipe) to the login field (_umb_login) when editing a member, but when I then try to change the password it fails, because the username is not valid (the MemberController.PostSave fails: see the error below).