#17691: Possible to create invalid admin account with Turkish collation

--HG--
branch : 1.x

src/Orchard.Tests.Modules/Users/Services/UserServiceTests.cs

@@ -1,4 +1,6 @@
 using System;
+using System.Globalization;
+using System.Threading;
 using System.Xml.Linq;
 using Autofac;
 using Moq;
@@ -39,6 +41,7 @@ namespace Orchard.Tests.Modules.Users.Services {
         private ISessionFactory _sessionFactory;
         private ISession _session;
         private IContainer _container;
+        private CultureInfo _currentCulture;
 
 
         public class TestSessionLocator : ISessionLocator {
@@ -55,6 +58,7 @@ namespace Orchard.Tests.Modules.Users.Services {
 
         [TestFixtureSetUp]
         public void InitFixture() {
+            _currentCulture = Thread.CurrentThread.CurrentCulture;
             var databaseFileName = System.IO.Path.GetTempFileName();
             _sessionFactory = DataUtility.CreateSessionFactory(
                 databaseFileName,
@@ -66,7 +70,7 @@ namespace Orchard.Tests.Modules.Users.Services {
 
         [TestFixtureTearDown]
         public void TermFixture() {
-
+            Thread.CurrentThread.CurrentCulture = _currentCulture;
         }
 
         [SetUp]
@@ -122,5 +126,18 @@ namespace Orchard.Tests.Modules.Users.Services {
             Assert.That(username, Is.EqualTo("foo"));
             Assert.That(validateByUtc, Is.GreaterThan(_clock.UtcNow));
         }
+
+        [Test]
+        public void VerifyUserUnicityTurkishTest() {
+            CultureInfo turkishCulture = new CultureInfo("tr-TR");
+            Thread.CurrentThread.CurrentCulture = turkishCulture;
+
+            // Create user lower case
+            _membershipService.CreateUser(new CreateUserParams("admin", "66554321", "foo@bar.com", "", "", true));
+            _container.Resolve<IOrchardServices>().ContentManager.Flush();
+
+            // Verify unicity with upper case which with turkish coallition would yeld admin with an i without the dot and therefore generate a different user name
+            Assert.That(_userService.VerifyUserUnicity("ADMIN", "differentfoo@bar.com"), Is.False);
+        }
     }
 }

src/Orchard.Web/Modules/Orchard.Roles/Services/RolesBasedAuthorizationService.cs

@@ -48,7 +48,7 @@ namespace Orchard.Roles.Services {
             for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter) {
                 if (!context.Granted && context.User != null) {
                     if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) &&
-                           String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.OrdinalIgnoreCase)) {
+                           String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal)) {
                         context.Granted = true;
                     }
                 }

src/Orchard.Web/Modules/Orchard.Users/Controllers/AdminController.cs

@@ -241,11 +241,11 @@ namespace Orchard.Users.Controllers {
                 }
                 else {
                     // also update the Super user if this is the renamed account
-                    if (String.Equals(Services.WorkContext.CurrentSite.SuperUser, previousName, StringComparison.OrdinalIgnoreCase)) {
+                    if (String.Equals(Services.WorkContext.CurrentSite.SuperUser, previousName, StringComparison.Ordinal)) {
                         _siteService.GetSiteSettings().As<SiteSettingsPart>().SuperUser = editModel.UserName;
                     }
 
-                    user.NormalizedUserName = editModel.UserName.ToLower();
+                    user.NormalizedUserName = editModel.UserName.ToLowerInvariant();
                 }
             }
 
@@ -272,10 +272,10 @@ namespace Orchard.Users.Controllers {
             var user = Services.ContentManager.Get<IUser>(id);
 
             if (user != null) {
-                if (String.Equals(Services.WorkContext.CurrentSite.SuperUser, user.UserName, StringComparison.OrdinalIgnoreCase)) {
+                if (String.Equals(Services.WorkContext.CurrentSite.SuperUser, user.UserName, StringComparison.Ordinal)) {
                     Services.Notifier.Error(T("The Super user can't be removed. Please disable this account or specify another Super user account"));
                 }
-                else if (String.Equals(Services.WorkContext.CurrentUser.UserName, user.UserName, StringComparison.OrdinalIgnoreCase)) {
+                else if (String.Equals(Services.WorkContext.CurrentUser.UserName, user.UserName, StringComparison.Ordinal)) {
                     Services.Notifier.Error(T("You can't remove your own account. Please log in with another account"));
                 }
                 else{
@@ -323,7 +323,7 @@ namespace Orchard.Users.Controllers {
             var user = Services.ContentManager.Get<IUser>(id);
 
             if (user != null) {
-                if (String.Equals(Services.WorkContext.CurrentUser.UserName, user.UserName, StringComparison.OrdinalIgnoreCase)) {
+                if (String.Equals(Services.WorkContext.CurrentUser.UserName, user.UserName, StringComparison.Ordinal)) {
                     Services.Notifier.Error(T("You can't disable your own account. Please log in with another account"));
                 }
                 else {

src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs

@@ -49,7 +49,7 @@ namespace Orchard.Users.Services {
 
             user.Record.UserName = createUserParams.Username;
             user.Record.Email = createUserParams.Email;
-            user.Record.NormalizedUserName = createUserParams.Username.ToLower();
+            user.Record.NormalizedUserName = createUserParams.Username.ToLowerInvariant();
             user.Record.HashAlgorithm = "SHA1";
             SetPassword(user.Record, createUserParams.Password);
 
@@ -97,13 +97,13 @@ namespace Orchard.Users.Services {
         }
 
         public IUser GetUser(string username) {
-            var lowerName = username == null ? "" : username.ToLower();
+            var lowerName = username == null ? "" : username.ToLowerInvariant();
 
             return _orchardServices.ContentManager.Query<UserPart, UserPartRecord>().Where(u => u.NormalizedUserName == lowerName).List().FirstOrDefault();
         }
 
         public IUser ValidateUser(string userNameOrEmail, string password) {
-            var lowerName = userNameOrEmail == null ? "" : userNameOrEmail.ToLower();
+            var lowerName = userNameOrEmail == null ? "" : userNameOrEmail.ToLowerInvariant();
 
             var user = _orchardServices.ContentManager.Query<UserPart, UserPartRecord>().Where(u => u.NormalizedUserName == lowerName).List().FirstOrDefault();
 

src/Orchard.Web/Modules/Orchard.Users/Services/UserService.cs

@@ -37,7 +37,7 @@ namespace Orchard.Users.Services {
         public ILogger Logger { get; set; }
 
         public bool VerifyUserUnicity(string userName, string email) {
-            string normalizedUserName = userName.ToLower();
+            string normalizedUserName = userName.ToLowerInvariant();
 
             if (_contentManager.Query<UserPart, UserPartRecord>()
                                    .Where(user => 
@@ -51,7 +51,7 @@ namespace Orchard.Users.Services {
         }
 
         public bool VerifyUserUnicity(int id, string userName, string email) {
-            string normalizedUserName = userName.ToLower();
+            string normalizedUserName = userName.ToLowerInvariant();
 
             if (_contentManager.Query<UserPart, UserPartRecord>()
                                    .Where(user =>
@@ -115,7 +115,7 @@ namespace Orchard.Users.Services {
         }
 
         public bool SendLostPasswordEmail(string usernameOrEmail, Func<string, string> createUrl) {
-            var lowerName = usernameOrEmail.ToLower();
+            var lowerName = usernameOrEmail.ToLowerInvariant();
             var user = _contentManager.Query<UserPart, UserPartRecord>().Where(u => u.NormalizedUserName == lowerName || u.Email == lowerName).List().FirstOrDefault();
 
             if (user != null) {