It's a simple 1-line change to RenameUser, requiring that the new username be validated as 'creatable' instead of just 'valid.' If in fact we do want to require target usernames to pass the same requirements as account creation.

Done in r47740

Hrm. Surely this defeats the purpose of admins being able to override the default limitations?

This should be reverted and resolved as INVALID.

mike.lifeguard+bugs wrote:

(In reply to comment #3)

Hrm. Surely this defeats the purpose of admins being able to override the
default limitations?

This should be reverted and resolved as INVALID.

Should probably let them know that they are in fact overriding such restrictions though.

ayg wrote:

(In reply to comment #3)

Hrm. Surely this defeats the purpose of admins being able to override the
default limitations?

It depends. For instance, usernames with @ in them aren't creatable but are valid, and it should not be possible to rename to them, because it's only valid at all for backward compatibility (right?). On the other hand, things like AntiSpoof should clearly not be run. As far as I can tell by a quick glance at the code, the prohibition of '@' is the *only* difference between 'usable' and 'creatable'.

dhnguyen wrote:

(In reply to comment #5)

As far as I can tell by a quick glance at
the code, the prohibition of '@' is the *only* difference between 'usable' and
'creatable'.

The impetus for me when filing this bug was that I was able to rename a user to "93.896" (as requested by the user). I was not aware that one is not able to create such an account until somebody complained that that username is not creatable.

Given that three years have passed since comment 3, I'm being bold and am closing this is resolved again.