Limit user's fullname and Token name field length

rdiffweb/controller/page_admin_users.py

@@ -76,7 +76,13 @@ class UserForm(CherryForm):
             validators.length(max=256, message=_('Username too long.')),
         ],
     )
-    fullname = StringField(_('Fullname'), validators=[validators.optional()])
+    fullname = StringField(
+        _('Fullname'),
+        validators=[
+            validators.optional(),
+            validators.length(max=256, message=_('Fullname too long.')),
+        ],
+    )
     email = EmailField(
         _('Email'),
         validators=[

rdiffweb/controller/page_pref_general.py

@@ -25,7 +25,7 @@
 import cherrypy
 from wtforms.fields import HiddenField, PasswordField, StringField, SubmitField
 from wtforms.fields.html5 import EmailField
-from wtforms.validators import DataRequired, EqualTo, InputRequired, Length, Regexp
+from wtforms.validators import DataRequired, EqualTo, InputRequired, Length, Optional, Regexp
 
 from rdiffweb.controller import Controller, flash
 from rdiffweb.controller.form import CherryForm
@@ -40,7 +40,13 @@
 class UserProfileForm(CherryForm):
     action = HiddenField(default='set_profile_info')
     username = StringField(_('Username'), render_kw={'readonly': True})
-    fullname = StringField(_('Fullname'))
+    fullname = StringField(
+        _('Fullname'),
+        validators=[
+            Optional(),
+            Length(max=256, message=_('Fullname too long.')),
+        ],
+    )
     email = EmailField(
         _('Email'),
         validators=[

rdiffweb/controller/page_pref_tokens.py

@@ -20,7 +20,7 @@
 
 import cherrypy
 from wtforms.fields import DateField, HiddenField, StringField, SubmitField
-from wtforms.validators import DataRequired, Optional
+from wtforms.validators import DataRequired, Length, Optional
 
 from rdiffweb.controller import Controller, flash
 from rdiffweb.controller.filter_authorization import is_maintainer
@@ -38,7 +38,10 @@ class TokenForm(CherryForm):
         description=_(
             'Used only to identify the purpose of the token. For example, the application that uses the token.'
         ),
-        validators=[DataRequired()],
+        validators=[
+            DataRequired(),
+            Length(max=256, message=_('Token name too long')),
+        ],
     )
     expiration = DateField(
         _('Expiration date'),

rdiffweb/controller/tests/test_page_admin_users.py

@@ -58,7 +58,7 @@ def _store_quota(self, userobj, value):
     def _load_quota(self, userobj):
         return self._quota.get(userobj.username, 0)
 
-    def _add_user(self, username=None, email=None, password=None, user_root=None, role=None, mfa=None):
+    def _add_user(self, username=None, email=None, password=None, user_root=None, role=None, mfa=None, fullname=None):
         b = {}
         b['action'] = 'add'
         if username is not None:
@@ -73,6 +73,8 @@ def _add_user(self, username=None, email=None, password=None, user_root=None, ro
             b['role'] = str(role)
         if mfa is not None:
             b['mfa'] = str(mfa)
+        if fullname is not None:
+            b['fullname'] = str(fullname)
         self.getPage("/admin/users/", method='POST', body=b)
 
     def _edit_user(
@@ -275,6 +277,15 @@ def test_add_with_user_root_too_long(self):
         self.assertStatus(200)
         self.assertInBody("Root directory too long.")
 
+    def test_add_with_fullname_too_long(self):
+        # Given a too long user root
+        fullname = "fullname" * 50
+        # When trying to create the user
+        self._add_user("test2", "test@test,com", "password", "/tmp/", UserObject.USER_ROLE, fullname=fullname)
+        # Then an error is raised
+        self.assertStatus(200)
+        self.assertInBody("Fullname too long.")
+
     def test_delete_user_with_not_existing_username(self):
         """
         Verify failure to delete invalid username.

rdiffweb/controller/tests/test_page_prefs_general.py

@@ -109,6 +109,18 @@ def test_change_fullname_method_get(self):
         user = UserObject.query.filter(UserObject.username == self.USERNAME).first()
         self.assertEqual("", user.fullname)
 
+    def test_change_fullname_too_long(self):
+        # Given an authenticated user
+        # When update the fullname
+        self._set_profile_info("test@test.com", "Fullname" * 50)
+        # Then page return with error message
+        self.assertStatus(200)
+        self.assertNotInBody("Profile updated successfully.")
+        self.assertInBody("Fullname too long.")
+        # Then database is not updated
+        user = UserObject.query.filter(UserObject.username == self.USERNAME).first()
+        self.assertEqual("", user.fullname)
+
     def test_change_email(self):
         self._set_profile_info("test@test.com")
         self.assertStatus(200)

rdiffweb/controller/tests/test_page_prefs_tokens.py

@@ -78,6 +78,19 @@ def test_add_access_token_without_name(self):
         # Then access token is not created
         self.assertEqual(0, Token.query.filter(Token.userid == userobj.userid, Token.name == 'test-token-name').count())
 
+    def test_add_access_token_with_name_too_long(self):
+        # Given an existing user
+        # When adding a new access token with name too long.
+        self.getPage(
+            "/prefs/tokens",
+            method='POST',
+            body={'action': 'add_access_token', 'name': 'token' * 52, 'expiration_time': ''},
+        )
+        # Then page return with error message
+        self.assertStatus(200)
+        # Then token name get displayed in the view
+        self.assertInBody('Token name too long')
+
     def test_delete_access_token(self):
         # Given an existing user with access_token
         userobj = UserObject.get_user(self.USERNAME)