Resolver for URLs with usernames do not include all valid characters

[seav]

URLs that contain usernames use the following regex to capture the username: [-\w]+. This does not match the actual allowed characters for Django usernames found in django.contrib.auth.validators: [\w.@+-]+.

This results in website errors when usernames containing periods, at signs, or plus signs.

[seav]

This affects the following URLs:

Website:
/organizations/<org>/members/<username>/
/organizations/<org>/members/<username>/remove/
/users/<username>/activate/
/users/<username>/deactivate/

API:
/organizations/<org>/users/<username>/
/organizations/<org>/projects/<project>/users/<username>/

[oliverroick]

Three possible solutions here:

1. Restrict user names to [-\w]+
2. Change the URL pattern [\w.@+-]+. (Are . or @ allowed in URLs, I don't know).
3. Change the URL pattern to use the user ID.

[seav]

Number 2 seems to be the simplest to implement. I think . and @ are allowed in URLs. If not, they will get URL-encoded anyway, just like other Unicode characters.

[ian-ross]

Both . and @ are explicitly allowed in URLs without encoding (see the BNF syntax here: https://www.w3.org/Addressing/URL/uri-spec.html#z8), so option 2 is definitely the best.