diff --git a/pkg/user/user_create.go b/pkg/user/user_create.go index 63ce7e9a2..25e5d4e82 100644 --- a/pkg/user/user_create.go +++ b/pkg/user/user_create.go @@ -149,6 +149,13 @@ func checkIfUserIsValid(user *User) error { } } + // Reserve the bot- prefix for bot users (created via CreateBotUser) + if strings.HasPrefix(user.Username, "bot-") { + return ErrUsernameReserved{ + Username: user.Username, + } + } + return nil } diff --git a/pkg/user/user_test.go b/pkg/user/user_test.go index 25f9802c3..b8e5eb22f 100644 --- a/pkg/user/user_test.go +++ b/pkg/user/user_test.go @@ -25,6 +25,20 @@ import ( "github.com/stretchr/testify/require" ) +func TestCreateUser_RejectsBotPrefix(t *testing.T) { + db.LoadAndAssertFixtures(t) + s := db.NewSession() + defer s.Close() + + _, err := CreateUser(s, &User{ + Username: "bot-evil", + Password: "12345678", + Email: "x@example.com", + }) + require.Error(t, err) + assert.True(t, IsErrUsernameReserved(err)) +} + func TestUser_IsBot(t *testing.T) { t.Run("regular user", func(t *testing.T) { u := &User{ID: 1}