Add sensible limit to user name inputs #3614
Description
Describe the Bug
Alt title: Missing input validation on Name
When a user is editing their profile under the "Edit Profile" section, extremely long names are accepted by the system, even as long as 792 characters. This starts causing system issues for the logged-in user, who won't able to use the system anymore due to HTTP 500 errors. Doesn't seem to have any impact for other users.
Steps to Reproduce
- Log in as any user. Ideally, have a backup admin user than can edit profiles.
- From the user dropdown, select Edit Profile.
- Under Name, enter these 231 characters:
AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
- Save your changes. The changes are saved successfully with an HTTP 200. The username change will be successful and show in the audit log.
- BookStack will return an HTTP 500 error on every page.
Expected Behaviour
- The user does not get an HTTP 500 error when accessing BookStack.
Optional:
- Instead of being allowed to have an absurdly long name, the user receives an error when the new name length exceeds a certain length.
- Add the permission ability to disallow users from editing their own name or their own user as a whole
- Particularly useful if the user's name is sourced from an SSO provider and therefore not requiring editing
- Allow maximum name length to be configurable
Screenshots or Additional Context
No response
Browser Details
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Exact BookStack Version
v22.06.2
PHP Version
7.4.26
Hosting Environment
- LinuxServer container on Ubuntu 22.04 LTS virtual machine
- LinuxServer MariaDB container
- Nginx 1.22 as reverse proxy