From e675e2ccf0069fae583a096b0fafb580eae6fd5e Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Thu, 15 Oct 2015 05:42:05 +0000
Subject: [PATCH] Users: Add `'illegal_user_logins'` filter to allow certain
 usernames to be blacklisted.

Props danielbachhuber, chriscct7, crazycoolcam, SergeyBiryukov.
Fixes #27317.

git-svn-id: https://develop.svn.wordpress.org/trunk@35189 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/user.php     |  6 ++++
 src/wp-includes/ms-functions.php   | 10 ++++--
 src/wp-includes/user-functions.php | 11 +++++++
 tests/phpunit/tests/user.php       | 53 ++++++++++++++++++++++++++++++
 4 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/src/wp-admin/includes/user.php b/src/wp-admin/includes/user.php
index 6ec23fb576..3ec716e08e 100644
--- a/src/wp-admin/includes/user.php
+++ b/src/wp-admin/includes/user.php
@@ -142,6 +142,12 @@ function edit_user( $user_id = 0 ) {
 	if ( !$update && username_exists( $user->user_login ) )
 		$errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ));
 
+	/** This filter is documented in wp-includes/user-functions.php */
+	$usernames = apply_filters( 'illegal_user_logins', array() );
+	if ( in_array( $user->user_login, $usernames ) ) {
+		$errors->add( 'illegal_user_login', __( '<strong>ERROR</strong>: Sorry, that username is not allowed.' ) );
+	}
+
 	/* checking email address */
 	if ( empty( $user->user_email ) ) {
 		$errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please enter an email address.' ), array( 'form-field' => 'email' ) );
diff --git a/src/wp-includes/ms-functions.php b/src/wp-includes/ms-functions.php
index 49407ecb64..f4c11f0c88 100644
--- a/src/wp-includes/ms-functions.php
+++ b/src/wp-includes/ms-functions.php
@@ -427,8 +427,14 @@ function wpmu_validate_user_signup($user_name, $user_email) {
 		$illegal_names = array(  'www', 'web', 'root', 'admin', 'main', 'invite', 'administrator' );
 		add_site_option( 'illegal_names', $illegal_names );
 	}
-	if ( in_array( $user_name, $illegal_names ) )
-		$errors->add('user_name',  __( 'That username is not allowed.' ) );
+	if ( in_array( $user_name, $illegal_names ) ) {
+		$errors->add( 'user_name',  __( 'Sorry, that username is not allowed.' ) );
+	}
+
+	/** This filter is documented in wp-includes/user-functions.php */
+	if ( in_array( $user_name, apply_filters( 'illegal_user_logins', array() ) ) ) {
+		$errors->add( 'user_name',  __( 'Sorry, that username is not allowed.' ) );
+	}
 
 	if ( is_email_address_unsafe( $user_email ) )
 		$errors->add('user_email',  __('You cannot use that email address to signup. We are having problems with them blocking some of our email. Please use another email provider.'));
diff --git a/src/wp-includes/user-functions.php b/src/wp-includes/user-functions.php
index 18ed9af8ef..48c7791939 100644
--- a/src/wp-includes/user-functions.php
+++ b/src/wp-includes/user-functions.php
@@ -1315,6 +1315,17 @@ function wp_insert_user( $userdata ) {
 		return new WP_Error( 'existing_user_login', __( 'Sorry, that username already exists!' ) );
 	}
 
+	/**
+	 * Filter the list of blacklisted usernames.
+	 *
+	 * @since 4.4.0
+	 *
+	 * @param array $usernames Array of blacklisted usernames.
+	 */
+	if ( in_array( $user_login, apply_filters( 'illegal_user_logins', array() ) ) ) {
+		return new WP_Error( 'illegal_user_login', __( 'Sorry, that username is not allowed.' ) );
+	}	
+
 	/*
 	 * If a nicename is provided, remove unsafe user characters before using it.
 	 * Otherwise build a nicename from the user_login.
diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
index b111ab3d2c..f86c0e52b7 100644
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@@ -602,6 +602,59 @@ class Tests_User extends WP_UnitTestCase {
 		}
 	}
 
+	/**
+	 * @ticket 27317
+	 */
+	function test_illegal_user_logins_single() {
+		$user_data = array(
+			'user_login' => 'testuser',
+			'user_email' => 'testuser@example.com',
+			'user_pass'  => wp_generate_password(),
+		);
+
+		add_filter( 'illegal_user_logins', array( $this, '_illegal_user_logins' ) );
+
+		$response = wp_insert_user( $user_data );
+		$this->assertInstanceOf( 'WP_Error', $response );
+		$this->assertEquals( 'illegal_user_login', $response->get_error_code() );
+
+		remove_filter( 'illegal_user_logins', array( $this, '_illegal_user_logins' ) );
+
+		$user_id = wp_insert_user( $user_data );
+		$user = get_user_by( 'id', $user_id );
+		$this->assertInstanceOf( 'WP_User', $user );
+	}
+
+	/**
+	 * @ticket 27317
+	 */
+	function test_illegal_user_logins_multisite() {
+		if ( ! is_multisite() ) {
+			return;
+		}
+
+		$user_data = array(
+			'user_login' => 'testuser',
+			'user_email' => 'testuser@example.com',
+		);
+
+		add_filter( 'illegal_user_logins', array( $this, '_illegal_user_logins' ) );
+
+		$response = wpmu_validate_user_signup( $user_data['user_login'], $user_data['user_email'] );
+		$this->assertInstanceOf( 'WP_Error', $response['errors'] );
+		$this->assertEquals( 'user_name', $response['errors']->get_error_code() );
+
+		remove_filter( 'illegal_user_logins', array( $this, '_illegal_user_logins' ) );
+
+		$response = wpmu_validate_user_signup( $user_data['user_login'], $user_data['user_email'] );
+		$this->assertInstanceOf( 'WP_Error', $response['errors'] );
+		$this->assertEquals( 0, count( $response['errors']->get_error_codes() ) );
+	}
+
+	function _illegal_user_logins() {
+		return array( 'testuser' );	
+	}
+
 	/**
 	 * @ticket 24618
 	 */