Fix the username validation when an admin update the user

2025-12-30 17:00:57 -06:00 · 2023-06-05 11:14:24 +02:00
parent 2372b50116
commit 1ac49dfd64
6 changed files with 26 additions and 8 deletions
--- a/changelog/unreleased/fix-username-validation.md
+++ b/changelog/unreleased/fix-username-validation.md
@@ -0,0 +1,6 @@
+Enhancement: Fix the username validation
+
+Fix the username validation when an admin update the user
+
+https://github.com/owncloud/ocis/pull/6437
+https://github.com/owncloud/ocis/issues/6436
--- a/deployments/examples/ocis_wopi/docker-compose.yml
+++ b/deployments/examples/ocis_wopi/docker-compose.yml
@@ -230,10 +230,6 @@ services:

  inbucket:
    image: inbucket/inbucket
-    ports:
-      - "9000:9000"
-      - "1100:1100"
-      - "2500:2500"
    networks:
      ocis-net:
    entrypoint:
--- a/services/graph/pkg/identity/ldap_group.go
+++ b/services/graph/pkg/identity/ldap_group.go
@@ -529,7 +529,7 @@ func (i *LDAP) getGroupByDN(dn string) (*ldap.Entry, error) {
 func (i *LDAP) getGroupsForUser(dn string) ([]*ldap.Entry, error) {
 	groupFilter := fmt.Sprintf(
 		"(%s=%s)",
-		i.groupAttributeMap.member, dn,
+		i.groupAttributeMap.member, ldap.EscapeFilter(dn),
 	)
 	userGroups, err := i.getLDAPGroupsByFilter(groupFilter, false, false)
 	if err != nil {
--- a/services/graph/pkg/service/v0/educationuser.go
+++ b/services/graph/pkg/service/v0/educationuser.go
@@ -341,6 +341,14 @@ func (g Graph) PatchEducationUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if accountName, ok := changes.GetOnPremisesSamAccountNameOk(); ok {
+		if !g.isValidUsername(*accountName) {
+			logger.Debug().Str("username", *accountName).Msg("could not update education user: username must be at least the local part of an email")
+			errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, fmt.Sprintf("username %s must be at least the local part of an email", *changes.OnPremisesSamAccountName))
+			return
+		}
+	}
+
 	var features []events.UserFeature
 	if mail, ok := changes.GetMailOk(); ok {
 		if !isValidEmail(*mail) {
--- a/services/graph/pkg/service/v0/users.go
+++ b/services/graph/pkg/service/v0/users.go
@@ -654,6 +654,14 @@ func (g Graph) PatchUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if accountName, ok := changes.GetOnPremisesSamAccountNameOk(); ok {
+		if !g.isValidUsername(*accountName) {
+			logger.Info().Str("username", *accountName).Msg("could not update user: invalid username")
+			errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "Invalid username")
+			return
+		}
+	}
+
 	var features []events.UserFeature
 	if mail, ok := changes.GetMailOk(); ok {
 		if !isValidEmail(*mail) {
--- a/tests/acceptance/features/apiGraph/editUser.feature
+++ b/tests/acceptance/features/apiGraph/editUser.feature
@@ -1,4 +1,4 @@
-@api 
+@api
 Feature: edit user
  As an admin
  I want to be able to edit user information
@@ -66,9 +66,9 @@ Feature: edit user
    Examples:
      | action description           | userName | code | newUserName |
      | change to a valid user name  | Lionel   | 200  | Lionel      |
-      | user name characters         | *:!;_+-& | 200  | *:!;_+-&    |
+      | user name characters         | a*!_+-&  | 200  | a*!_+-&     |
      | change to existing user name | Brian    | 409  | Brian       |
-      | empty user name              |          | 200  | Brian       |
+      | empty user name              |          | 400  | Brian       |

  @skipOnStable2.0
  Scenario: admin user changes the name of a user to the name of an existing disabled user