Oki, so, summarizing:
(A)- With $CFG->extendedusernamechars DISABLED we must allow exclusively these:
alphanumeric chars (A-Z, a-z, 0-9)
(B)- With $CFG->extendedusernamechars ENABLED, any char is allowed in usernames (current behaviour).
And we must perform changes in:
in order to check for the characters specified in (A).
Sounds as a good plan. Some observations:
1) I'd move the check to one central function - user_normalise_username() - somewhere and make all the places above to use it.
2) External auth plugins... should them be rejecting wrong usernames? I guess we don't make any verification there.
3) I've detected that the currently used regular expression:
$user->username = eregi_replace('[^(
\.[:alnum:])]', '', $user>username);
seems to be faulty, because, or I'm wrong or it allows parenthesis in usernames!! So the question is... should we continue allowing them (can break users using those chars previously).
Adding some watchers, assigning to Jerome and addressing to 1.9.4. Please comment about 2 & 3.