mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-02-21 13:09:10 -06:00
always unescape url params
This commit is contained in:
Willy Kloucek
@@ -3,6 +3,7 @@ package svc
|
||||
import (
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"github.com/owncloud/ocis/graph/pkg/service/v0/errorcode"
|
||||
|
||||
@@ -30,6 +31,11 @@ func (g Graph) GetGroups(w http.ResponseWriter, r *http.Request) {
|
||||
// GetGroup implements the Service interface.
|
||||
func (g Graph) GetGroup(w http.ResponseWriter, r *http.Request) {
|
||||
groupID := chi.URLParam(r, "groupID")
|
||||
groupID, err := url.PathUnescape(groupID)
|
||||
if err != nil {
|
||||
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "unescaping group id failed")
|
||||
}
|
||||
|
||||
if groupID == "" {
|
||||
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "missing group id")
|
||||
return
|
||||
|
||||
@@ -3,6 +3,7 @@ package svc
|
||||
import (
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
revactx "github.com/cs3org/reva/pkg/ctx"
|
||||
"github.com/go-chi/chi/v5"
|
||||
@@ -49,6 +50,11 @@ func (g Graph) GetUsers(w http.ResponseWriter, r *http.Request) {
|
||||
// GetUser implements the Service interface.
|
||||
func (g Graph) GetUser(w http.ResponseWriter, r *http.Request) {
|
||||
userID := chi.URLParam(r, "userID")
|
||||
userID, err := url.PathUnescape(userID)
|
||||
if err != nil {
|
||||
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "unescaping user id failed")
|
||||
}
|
||||
|
||||
if userID == "" {
|
||||
errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "missing user id")
|
||||
return
|
||||
|
||||
@@ -22,8 +22,11 @@ import (
|
||||
// ListUserGroups lists a users groups
|
||||
func (o Ocs) ListUserGroups(w http.ResponseWriter, r *http.Request) {
|
||||
userid := chi.URLParam(r, "userid")
|
||||
userid, err := url.PathUnescape(userid)
|
||||
if err != nil {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, err.Error()))
|
||||
}
|
||||
var account *accounts.Account
|
||||
var err error
|
||||
|
||||
// short circuit if there is a user already in the context
|
||||
if u, ok := revactx.ContextGetUser(r.Context()); ok {
|
||||
@@ -104,6 +107,10 @@ func (o Ocs) ListUserGroups(w http.ResponseWriter, r *http.Request) {
|
||||
func (o Ocs) AddToGroup(w http.ResponseWriter, r *http.Request) {
|
||||
groupid := r.PostFormValue("groupid")
|
||||
userid := chi.URLParam(r, "userid")
|
||||
userid, err := url.PathUnescape(userid)
|
||||
if err != nil {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, err.Error()))
|
||||
}
|
||||
|
||||
if groupid == "" {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaBadRequest.StatusCode, "empty group assignment: unspecified group"))
|
||||
@@ -155,8 +162,10 @@ func (o Ocs) AddToGroup(w http.ResponseWriter, r *http.Request) {
|
||||
// RemoveFromGroup removes a user from a group
|
||||
func (o Ocs) RemoveFromGroup(w http.ResponseWriter, r *http.Request) {
|
||||
userid := chi.URLParam(r, "userid")
|
||||
|
||||
var err error
|
||||
userid, err := url.PathUnescape(userid)
|
||||
if err != nil {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, err.Error()))
|
||||
}
|
||||
|
||||
// Really? a DELETE with form encoded body?!?
|
||||
// but it is not encoded as mime, so we cannot just call r.ParseForm()
|
||||
@@ -340,6 +349,10 @@ func (o Ocs) AddGroup(w http.ResponseWriter, r *http.Request) {
|
||||
// DeleteGroup deletes a group
|
||||
func (o Ocs) DeleteGroup(w http.ResponseWriter, r *http.Request) {
|
||||
groupid := chi.URLParam(r, "groupid")
|
||||
groupid, err := url.PathUnescape(groupid)
|
||||
if err != nil {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, err.Error()))
|
||||
}
|
||||
|
||||
// ocs only knows about names so we have to look up the internal id
|
||||
group, err := o.fetchGroupByName(r.Context(), groupid)
|
||||
@@ -376,6 +389,10 @@ func (o Ocs) DeleteGroup(w http.ResponseWriter, r *http.Request) {
|
||||
func (o Ocs) GetGroupMembers(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
groupid := chi.URLParam(r, "groupid")
|
||||
groupid, err := url.PathUnescape(groupid)
|
||||
if err != nil {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, err.Error()))
|
||||
}
|
||||
|
||||
// ocs only knows about names so we have to look up the internal id
|
||||
group, err := o.fetchGroupByName(r.Context(), groupid)
|
||||
|
||||
@@ -6,6 +6,7 @@ import (
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
@@ -85,8 +86,11 @@ func (o Ocs) GetSelf(w http.ResponseWriter, r *http.Request) {
|
||||
// GetUser returns the user with the given userid
|
||||
func (o Ocs) GetUser(w http.ResponseWriter, r *http.Request) {
|
||||
userid := chi.URLParam(r, "userid")
|
||||
userid, err := url.PathUnescape(userid)
|
||||
if err != nil {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, err.Error()))
|
||||
}
|
||||
var account *accounts.Account
|
||||
var err error
|
||||
|
||||
switch {
|
||||
case userid == "":
|
||||
@@ -273,9 +277,12 @@ func (o Ocs) AddUser(w http.ResponseWriter, r *http.Request) {
|
||||
// EditUser creates a new user account
|
||||
func (o Ocs) EditUser(w http.ResponseWriter, r *http.Request) {
|
||||
userid := chi.URLParam(r, "userid")
|
||||
userid, err := url.PathUnescape(userid)
|
||||
if err != nil {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, err.Error()))
|
||||
}
|
||||
|
||||
var account *accounts.Account
|
||||
var err error
|
||||
switch o.config.AccountBackend {
|
||||
case "accounts":
|
||||
account, err = o.fetchAccountByUsername(r.Context(), userid)
|
||||
@@ -351,9 +358,12 @@ func (o Ocs) EditUser(w http.ResponseWriter, r *http.Request) {
|
||||
// DeleteUser deletes a user
|
||||
func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) {
|
||||
userid := chi.URLParam(r, "userid")
|
||||
userid, err := url.PathUnescape(userid)
|
||||
if err != nil {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, err.Error()))
|
||||
}
|
||||
|
||||
var account *accounts.Account
|
||||
var err error
|
||||
switch o.config.AccountBackend {
|
||||
case "accounts":
|
||||
account, err = o.fetchAccountByUsername(r.Context(), userid)
|
||||
@@ -508,9 +518,12 @@ func (o Ocs) mintTokenForUser(ctx context.Context, account *accounts.Account) (s
|
||||
// EnableUser enables a user
|
||||
func (o Ocs) EnableUser(w http.ResponseWriter, r *http.Request) {
|
||||
userid := chi.URLParam(r, "userid")
|
||||
userid, err := url.PathUnescape(userid)
|
||||
if err != nil {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, err.Error()))
|
||||
}
|
||||
|
||||
var account *accounts.Account
|
||||
var err error
|
||||
switch o.config.AccountBackend {
|
||||
case "accounts":
|
||||
account, err = o.fetchAccountByUsername(r.Context(), userid)
|
||||
@@ -559,9 +572,12 @@ func (o Ocs) EnableUser(w http.ResponseWriter, r *http.Request) {
|
||||
// DisableUser disables a user
|
||||
func (o Ocs) DisableUser(w http.ResponseWriter, r *http.Request) {
|
||||
userid := chi.URLParam(r, "userid")
|
||||
userid, err := url.PathUnescape(userid)
|
||||
if err != nil {
|
||||
o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, err.Error()))
|
||||
}
|
||||
|
||||
var account *accounts.Account
|
||||
var err error
|
||||
switch o.config.AccountBackend {
|
||||
case "accounts":
|
||||
account, err = o.fetchAccountByUsername(r.Context(), userid)
|
||||
|
||||
Reference in New Issue
Block a user