mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-06 20:29:54 -06:00
Code Issues Packages Projects Releases Wiki Activity

graph: Fix handling of required attributes for users and groups

Browse Source 
Fix a possible panic when checking for missing attribute ('err' was used
without actually being set). Return more helpful messages when required
attributes of a user or group are missing.
This commit is contained in:
Ralf Haferkamp
2022-03-28 11:23:23 +02:00
parent 1d25f03deb
commit 6fffe04120
2 changed files with 23 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
graph/pkg/service/v0/groups.go
View File

@@ -42,7 +42,7 @@ func (g Graph) PostGroup(w http.ResponseWriter, r *http.Request) {
return
}
if isNilOrEmpty(grp.DisplayName) {
if _, ok := grp.GetDisplayNameOk(); !ok {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "Missing Required Attribute")
return
}
@@ -50,7 +50,7 @@ func (g Graph) PostGroup(w http.ResponseWriter, r *http.Request) {
// Disallow user-supplied IDs. It's supposed to be readonly. We're either
// generating them in the backend ourselves or rely on the Backend's
// storage (e.g. LDAP) to provide a unique ID.
if !isNilOrEmpty(grp.Id) {
if _, ok := grp.GetIdOk(); ok {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "group id is a read-only attribute")
return
}

36
graph/pkg/service/v0/users.go
View File

@@ -60,26 +60,36 @@ func (g Graph) PostUser(w http.ResponseWriter, r *http.Request) {
return
}
if isNilOrEmpty(u.DisplayName) || isNilOrEmpty(u.OnPremisesSamAccountName) || isNilOrEmpty(u.Mail) {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, err.Error())
if _, ok := u.GetDisplayNameOk(); !ok {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "missing required Attribute: 'displayName'")
return
}
if accountName, ok := u.GetOnPremisesSamAccountNameOk(); ok {
if !isValidUsername(*accountName) {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest,
fmt.Sprintf("username '%s' must be at least the local part of an email", *u.OnPremisesSamAccountName))
return
}
} else {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "missing required Attribute: 'onPremisesSamAccountName'")
return
}
if !isValidUsername(*u.OnPremisesSamAccountName) {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest,
fmt.Sprintf("username '%s' must be at least the local part of an email", *u.OnPremisesSamAccountName))
return
}
if !isValidEmail(*u.Mail) {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest,
fmt.Sprintf("'%s' is not a valid email address", *u.Mail))
if mail, ok := u.GetMailOk(); ok {
if !isValidEmail(*mail) {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest,
fmt.Sprintf("'%s' is not a valid email address", *u.Mail))
return
}
} else {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "missing required Attribute: 'mail'")
return
}
// Disallow user-supplied IDs. It's supposed to be readonly. We're either
// generating them in the backend ourselves or rely on the Backend's
// storage (e.g. LDAP) to provide a unique ID.
if !isNilOrEmpty(u.Id) {
if _, ok := u.GetIdOk(); ok {
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "user id is a read-only attribute")
return
}
@@ -202,10 +212,6 @@ func (g Graph) PatchUser(w http.ResponseWriter, r *http.Request) {
}
func isNilOrEmpty(s *string) bool {
return s == nil || *s == ""
}
// We want to allow email addresses as usernames so they show up when using them in ACLs on storages that allow integration with our glauth LDAP service
// so we are adding a few restrictions from https://stackoverflow.com/questions/6949667/what-are-the-real-rules-for-linux-usernames-on-centos-6-and-rhel-6
// names should not start with numbers