diff --git a/changelog/unreleased/fix-username-validation.md b/changelog/unreleased/fix-username-validation.md new file mode 100644 index 000000000..f7aed77a9 --- /dev/null +++ b/changelog/unreleased/fix-username-validation.md @@ -0,0 +1,6 @@ +Enhancement: Fix the username validation + +Fix the username validation when an admin update the user + +https://github.com/owncloud/ocis/pull/6437 +https://github.com/owncloud/ocis/issues/6436 diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml index 956757367..d14c1f8be 100644 --- a/deployments/examples/ocis_wopi/docker-compose.yml +++ b/deployments/examples/ocis_wopi/docker-compose.yml @@ -230,10 +230,6 @@ services: inbucket: image: inbucket/inbucket - ports: - - "9000:9000" - - "1100:1100" - - "2500:2500" networks: ocis-net: entrypoint: diff --git a/services/graph/pkg/identity/ldap_group.go b/services/graph/pkg/identity/ldap_group.go index f4c8e8506..5c0e1f5d8 100644 --- a/services/graph/pkg/identity/ldap_group.go +++ b/services/graph/pkg/identity/ldap_group.go @@ -529,7 +529,7 @@ func (i *LDAP) getGroupByDN(dn string) (*ldap.Entry, error) { func (i *LDAP) getGroupsForUser(dn string) ([]*ldap.Entry, error) { groupFilter := fmt.Sprintf( "(%s=%s)", - i.groupAttributeMap.member, dn, + i.groupAttributeMap.member, ldap.EscapeFilter(dn), ) userGroups, err := i.getLDAPGroupsByFilter(groupFilter, false, false) if err != nil { diff --git a/services/graph/pkg/service/v0/educationuser.go b/services/graph/pkg/service/v0/educationuser.go index 9ba3c4052..3ddaf2374 100644 --- a/services/graph/pkg/service/v0/educationuser.go +++ b/services/graph/pkg/service/v0/educationuser.go @@ -341,6 +341,14 @@ func (g Graph) PatchEducationUser(w http.ResponseWriter, r *http.Request) { return } + if accountName, ok := changes.GetOnPremisesSamAccountNameOk(); ok { + if !g.isValidUsername(*accountName) { + logger.Debug().Str("username", *accountName).Msg("could not update education user: username must be at least the local part of an email") + errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, fmt.Sprintf("username %s must be at least the local part of an email", *changes.OnPremisesSamAccountName)) + return + } + } + var features []events.UserFeature if mail, ok := changes.GetMailOk(); ok { if !isValidEmail(*mail) { diff --git a/services/graph/pkg/service/v0/users.go b/services/graph/pkg/service/v0/users.go index b77444caa..be24c2ccc 100644 --- a/services/graph/pkg/service/v0/users.go +++ b/services/graph/pkg/service/v0/users.go @@ -654,6 +654,14 @@ func (g Graph) PatchUser(w http.ResponseWriter, r *http.Request) { return } + if accountName, ok := changes.GetOnPremisesSamAccountNameOk(); ok { + if !g.isValidUsername(*accountName) { + logger.Info().Str("username", *accountName).Msg("could not update user: invalid username") + errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "Invalid username") + return + } + } + var features []events.UserFeature if mail, ok := changes.GetMailOk(); ok { if !isValidEmail(*mail) { diff --git a/tests/acceptance/features/apiGraph/editUser.feature b/tests/acceptance/features/apiGraph/editUser.feature index e8803ecd4..f5243e0e8 100644 --- a/tests/acceptance/features/apiGraph/editUser.feature +++ b/tests/acceptance/features/apiGraph/editUser.feature @@ -1,4 +1,4 @@ -@api +@api Feature: edit user As an admin I want to be able to edit user information @@ -66,9 +66,9 @@ Feature: edit user Examples: | action description | userName | code | newUserName | | change to a valid user name | Lionel | 200 | Lionel | - | user name characters | *:!;_+-& | 200 | *:!;_+-& | + | user name characters | a*!_+-& | 200 | a*!_+-& | | change to existing user name | Brian | 409 | Brian | - | empty user name | | 200 | Brian | + | empty user name | | 400 | Brian | @skipOnStable2.0 Scenario: admin user changes the name of a user to the name of an existing disabled user