diff --git a/changelog/unreleased/empty-password-user.md b/changelog/unreleased/empty-password-user.md new file mode 100644 index 000000000..4ffd4ba84 --- /dev/null +++ b/changelog/unreleased/empty-password-user.md @@ -0,0 +1,5 @@ +Bugfix: Don't allow empty password + +It was allowed to create users with empty or spaces-only password. This is fixed + +https://github.com/owncloud/product/issues/197 diff --git a/ocs/pkg/server/http/svc_test.go b/ocs/pkg/server/http/svc_test.go index ee896414f..cdcb2eee9 100644 --- a/ocs/pkg/server/http/svc_test.go +++ b/ocs/pkg/server/http/svc_test.go @@ -169,6 +169,8 @@ var formats = []string{"json", "xml"} var dataPath = createTmpDir() +var defaultPassword = "Testing123" + var defaultUsers = []string{ userEinstein, userIDP, @@ -709,6 +711,10 @@ func getService() svc.Service { } func createUser(u User) error { + // add default password if not set differently + if u.Password == "" { + u.Password = defaultPassword + } _, err := sendRequest( "POST", userProvisioningEndPoint, @@ -768,17 +774,6 @@ func TestCreateUser(t *testing.T) { }, nil, }, - // https://github.com/owncloud/ocis-ocs/issues/50 - { - "User without password", - User{ - Enabled: "true", - ID: "john", - Email: "john@example.com", - Displayname: "John Dalton", - }, - nil, - }, // https://github.com/owncloud/ocis-ocs/issues/49 { "User with special character in userid", diff --git a/ocs/pkg/service/v0/users.go b/ocs/pkg/service/v0/users.go index 1445ab1d5..55aa18a59 100644 --- a/ocs/pkg/service/v0/users.go +++ b/ocs/pkg/service/v0/users.go @@ -179,6 +179,11 @@ func (o Ocs) AddUser(w http.ResponseWriter, r *http.Request) { return } } + if strings.TrimSpace(password) == "" { + mustNotFail(render.Render(w, r, response.ErrRender(data.MetaBadRequest.StatusCode, "empty password not allowed"))) + o.logger.Error().Str("userid", userid).Msg("empty password not allowed") + return + } // fallbacks /* TODO decide if we want to make these fallbacks. Keep in mind: diff --git a/tests/acceptance/expected-failures-API-on-OCIS-storage.md b/tests/acceptance/expected-failures-API-on-OCIS-storage.md index fa6494d69..6b1d48ad4 100644 --- a/tests/acceptance/expected-failures-API-on-OCIS-storage.md +++ b/tests/acceptance/expected-failures-API-on-OCIS-storage.md @@ -911,9 +911,6 @@ special character username not valid - [apiTrashbin/trashbinFilesFolders.feature:252](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L252) - [apiTrashbin/trashbinFilesFolders.feature:253](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L253) -#### [Password can be set to empty](https://github.com/owncloud/product/issues/197) -- [apiProvisioning-v2/addUser.feature:83](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L83) - #### [Client token generation not implemented](https://github.com/owncloud/ocis/issues/197) - [apiProvisioning-v1/apiProvisioningUsingAppPassword.feature:39](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v1/apiProvisioningUsingAppPassword.feature#L39) - [apiProvisioning-v1/apiProvisioningUsingAppPassword.feature:67](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v1/apiProvisioningUsingAppPassword.feature#L67) @@ -1473,4 +1470,4 @@ Not everything needs to be implemented for ocis. While the oc10 testsuite covers ### [Content-type is not multipart/byteranges when downloading file with Range Header](https://github.com/owncloud/ocis/issues/2677) - [apiWebdavOperations/downloadFile.feature:169](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/downloadFile.feature#L169) -- [apiWebdavOperations/downloadFile.feature:170](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/downloadFile.feature#L170) \ No newline at end of file +- [apiWebdavOperations/downloadFile.feature:170](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/downloadFile.feature#L170)