From d372db884566046c34add9661e9cc9ef0dafbb30 Mon Sep 17 00:00:00 2001
From: netroms <msvanaes@dhis2.org>
Date: Tue, 16 Jan 2024 15:43:40 +0100
Subject: [PATCH] chore: enforce username format rules in additional places
 (#15703) (#16169)

* chore: enforce username format rules in additional places (#15703)
---
 .../org/hisp/dhis/webapi/controller/user/UserController.java | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
index a88861a213f2..01099f315829 100644
--- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
+++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
@@ -96,6 +96,7 @@
 import org.hisp.dhis.schema.descriptors.UserSchemaDescriptor;
 import org.hisp.dhis.security.RestoreOptions;
 import org.hisp.dhis.security.SecurityService;
+import org.hisp.dhis.system.util.ValidationUtils;
 import org.hisp.dhis.user.CredentialsInfo;
 import org.hisp.dhis.user.CurrentUser;
 import org.hisp.dhis.user.PasswordValidationResult;
@@ -450,6 +451,10 @@ public WebMessage replicateUser(
       return conflict("Username must be specified");
     }
 
+    if (!ValidationUtils.usernameIsValid(username, false)) {
+      return conflict("Username is not valid");
+    }
+
     if (userService.getUserByUsername(username) != null) {
       return conflict("Username already taken: " + username);
     }