Merge pull request #2675 from kobergj/ForbidEmptyPassword

Forbid empty password

changelog/unreleased/empty-password-user.md

@@ -0,0 +1,5 @@
+Bugfix: Don't allow empty password
+
+It was allowed to create users with empty or spaces-only password. This is fixed
+
+https://github.com/owncloud/product/issues/197

ocs/pkg/server/http/svc_test.go

@@ -169,6 +169,8 @@ var formats = []string{"json", "xml"}
 
 var dataPath = createTmpDir()
 
+var defaultPassword = "Testing123"
+
 var defaultUsers = []string{
 	userEinstein,
 	userIDP,
@@ -709,6 +711,10 @@ func getService() svc.Service {
 }
 
 func createUser(u User) error {
+	// add default password if not set differently
+	if u.Password == "" {
+		u.Password = defaultPassword
+	}
 	_, err := sendRequest(
 		"POST",
 		userProvisioningEndPoint,
@@ -768,17 +774,6 @@ func TestCreateUser(t *testing.T) {
 			},
 			nil,
 		},
-		// https://github.com/owncloud/ocis-ocs/issues/50
-		{
-			"User without password",
-			User{
-				Enabled:     "true",
-				ID:          "john",
-				Email:       "john@example.com",
-				Displayname: "John Dalton",
-			},
-			nil,
-		},
 		// https://github.com/owncloud/ocis-ocs/issues/49
 		{
 			"User with special character in userid",

ocs/pkg/service/v0/users.go

@@ -179,6 +179,11 @@ func (o Ocs) AddUser(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
+	if strings.TrimSpace(password) == "" {
+		mustNotFail(render.Render(w, r, response.ErrRender(data.MetaBadRequest.StatusCode, "empty password not allowed")))
+		o.logger.Error().Str("userid", userid).Msg("empty password not allowed")
+		return
+	}
 
 	// fallbacks
 	/* TODO decide if we want to make these fallbacks. Keep in mind:

tests/acceptance/expected-failures-API-on-OCIS-storage.md

@@ -911,9 +911,6 @@ special character username not valid
 -   [apiTrashbin/trashbinFilesFolders.feature:252](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L252)
 -   [apiTrashbin/trashbinFilesFolders.feature:253](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L253)
 
-#### [Password can be set to empty](https://github.com/owncloud/product/issues/197)
--   [apiProvisioning-v2/addUser.feature:83](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L83)
-
 #### [Client token generation not implemented](https://github.com/owncloud/ocis/issues/197)
 -   [apiProvisioning-v1/apiProvisioningUsingAppPassword.feature:39](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v1/apiProvisioningUsingAppPassword.feature#L39)
 -   [apiProvisioning-v1/apiProvisioningUsingAppPassword.feature:67](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v1/apiProvisioningUsingAppPassword.feature#L67)
@@ -1473,4 +1470,4 @@ Not everything needs to be implemented for ocis. While the oc10 testsuite covers
 
 ### [Content-type is not multipart/byteranges when downloading file with Range Header](https://github.com/owncloud/ocis/issues/2677)
 -   [apiWebdavOperations/downloadFile.feature:169](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/downloadFile.feature#L169)
--   [apiWebdavOperations/downloadFile.feature:170](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/downloadFile.feature#L170)
+-   [apiWebdavOperations/downloadFile.feature:170](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/downloadFile.feature#L170)