Don't allow people to register user ids which only differ by case to an existing one

2 files changed, 13 insertions, 2 deletions

diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py
index 39392d9fdd..86390a3671 100644
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@@ -57,8 +57,8 @@ class RegistrationHandler(BaseHandler):
 
         yield self.check_user_id_is_valid(user_id)
 
-        u = yield self.store.get_user_by_id(user_id)
-        if u:
+        users = yield self.store.get_users_by_id_case_insensitive(user_id)
+        if users:
             raise SynapseError(
                 400,
                 "User ID already taken.",
diff --git a/synapse/storage/registration.py b/synapse/storage/registration.py
index bf803f2c6e..25adecaf6d 100644
--- a/synapse/storage/registration.py
+++ b/synapse/storage/registration.py
@@ -98,6 +98,17 @@ class RegistrationStore(SQLBaseStore):
             allow_none=True,
         )
 
+    def get_users_by_id_case_insensitive(self, user_id):
+        def f(txn):
+            sql = (
+                "SELECT name, password_hash FROM users"
+                " WHERE name = lower(?)"
+            )
+            txn.execute(sql, (user_id,))
+            return self.cursor_to_dict(txn)
+
+        return self.runInteraction("get_users_by_id_case_insensitive", f)
+
     @defer.inlineCallbacks
     def user_set_password_hash(self, user_id, password_hash):
         """