Centralize account-name validation into a shared module; apply to all creation paths #51

New issue

Open

opened 2026-06-16 21:59:38 +00:00 by padreug · 0 comments

padreug commented 2026-06-16 21:59:38 +00:00

Owner

Copy link

Found in the high-effort code review of PR #46.

Two related altitude issues with the new _validate_account_name / _is_valid_account_component (views_api.py):

1. Only the admin endpoint validates. The sibling super-user path POST /api/v1/accounts (api_create_account, views_api.py:291 → crud.create_account) inserts name into libra's DB with no Beancount-grammar check. A malformed name can enter the DB there and later diverge from / break Fava during account-sync or an Open write. Validation belongs in a shared module (next to account_utils) that every creation path calls — not bolted onto the one endpoint the UI happens to use.

2. The five-type rule and the grammar rule are split. views_api.py:3725 does startswith(_VALID_ACCOUNT_PREFIXES) (the real five-root gate) and :3734 calls _validate_account_name, which accepts any uppercase-initial root. They run back-to-back with divergent 400 messages (e.g. name="Income" → "must start with Income:" instead of "needs a sub-account"). Fold the root-allowlist into the validator so there's one source of truth and one message.

Suggested fix

Add account_utils.validate_account_name(name) (grammar + five-root check, mirroring beancount.core.account — already cross-checked to match is_valid() across 20 cases) and call it from both creation endpoints. Collapses #1 and #2.

Found in the high-effort code review of PR #46. Two related altitude issues with the new `_validate_account_name` / `_is_valid_account_component` (`views_api.py`): **1. Only the admin endpoint validates.** The sibling super-user path `POST /api/v1/accounts` (`api_create_account`, `views_api.py:291` → `crud.create_account`) inserts `name` into libra's DB with **no** Beancount-grammar check. A malformed name can enter the DB there and later diverge from / break Fava during account-sync or an Open write. Validation belongs in a shared module (next to `account_utils`) that every creation path calls — not bolted onto the one endpoint the UI happens to use. **2. The five-type rule and the grammar rule are split.** `views_api.py:3725` does `startswith(_VALID_ACCOUNT_PREFIXES)` (the real five-root gate) and `:3734` calls `_validate_account_name`, which accepts *any* uppercase-initial root. They run back-to-back with divergent 400 messages (e.g. `name="Income"` → "must start with Income:" instead of "needs a sub-account"). Fold the root-allowlist into the validator so there's one source of truth and one message. ### Suggested fix Add `account_utils.validate_account_name(name)` (grammar + five-root check, mirroring `beancount.core.account` — already cross-checked to match `is_valid()` across 20 cases) and call it from both creation endpoints. Collapses #1 and #2.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/authorization-security-refactor

fix/concurrency-protection

v0.4.0

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.0

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

aiolabs/libra#51

No description provided.