This code allows non-trimmed restricted usernames, hence I was able to create the " anonymous " account with "Anonymous " full name. The same can be done for SYSTEM as well. UIs do not present such trailing spaces, hence UI looks to be "fine"
I have not obvious exploits in the code, but this logic gap may be a security issue if a plugin does not work with user IDs with spaces.
Is it a security issue or should we handle it as a common bug?