REPO-1882: Create a group or a person with an id that contains backslash does not throw an error

Added an char array containing illegall characters (/,\,\n,\r) to Groups and People API's, and adapted the checking of the previous illlegal character (/), to verify all of them. Added two tests (one for group and one for people), creating using invalid id's.
2025-08-14 17:58:59 +00:00 · 2017-10-05 17:25:14 +03:00
parent 1742e74001
commit 723fb50d67
4 changed files with 66 additions and 29 deletions
--- a/src/main/java/org/alfresco/rest/api/impl/GroupsImpl.java
+++ b/src/main/java/org/alfresco/rest/api/impl/GroupsImpl.java
@@ -86,6 +86,7 @@ public class GroupsImpl implements Groups
    private static final String DISPLAY_NAME = "displayName";
    private static final String AUTHORITY_NAME = "authorityName";
    private static final String ERR_MSG_MODIFY_FIXED_AUTHORITY = "Trying to modify a fixed authority";
+    private static final char[] illegalCharacters = {'/', '\\', '\r', '\n'};

    private final static Map<String, String> SORT_PARAMS_TO_NAMES;
    static
@@ -933,17 +934,21 @@ public class GroupsImpl implements Groups

        if (!isUpdate)
        {
-            if (group.getId() == null || group.getId().isEmpty())
+            String groupId = group.getId();
+            if (groupId == null || groupId.isEmpty())
            {
                throw new InvalidArgumentException("groupId is null or empty");
            }

-            if (group.getId().indexOf('/') != -1)
+            for (char illegalCharacter : illegalCharacters)
            {
-                throw new IllegalArgumentException("groupId contains characters that are not permitted.");
+                if (groupId.indexOf(illegalCharacter) != -1)
+                {
+                    throw new IllegalArgumentException("groupId contains characters that are not permitted: "+groupId.charAt(groupId.indexOf(illegalCharacter)));
+                }
            }

-            if (groupAuthorityExists(group.getId()))
+            if (groupAuthorityExists(groupId))
            {
                throw new ConstraintViolatedException("Group '" + group.getId() + "' already exists.");
            }
--- a/src/main/java/org/alfresco/rest/api/impl/PeopleImpl.java
+++ b/src/main/java/org/alfresco/rest/api/impl/PeopleImpl.java
@@ -105,6 +105,7 @@ public class PeopleImpl implements People
            PermissionService.GROUP_PREFIX,
            PermissionService.ROLE_PREFIX
    };
+    private static final char[] illegalCharacters = {'/', '\\', '\r', '\n'};

    protected Nodes nodes;
 	protected Sites sites;
@@ -646,9 +647,12 @@ public class PeopleImpl implements People
            throw new InvalidArgumentException("Username exceeds max length of " + USERNAME_MAXLENGTH + " characters.");
        }

-        if (username.indexOf('/') != -1)
+        for (char illegalCharacter : illegalCharacters)
        {
-            throw new IllegalArgumentException("Username contains characters that are not permitted.");
+            if (username.indexOf(illegalCharacter) != -1)
+            {
+                throw new IllegalArgumentException("Username contains characters that are not permitted: "+username.charAt(username.indexOf(illegalCharacter)));
+            }
        }

        for (String prefix : RESERVED_AUTHORITY_PREFIXES)
--- a/src/test/java/org/alfresco/rest/api/tests/GroupsTest.java
+++ b/src/test/java/org/alfresco/rest/api/tests/GroupsTest.java
@@ -1438,6 +1438,15 @@ public class GroupsTest extends AbstractSingleNetworkSiteTest
            groupsProxy.createGroup(group, null, HttpServletResponse.SC_CONFLICT);
        }

+        // Create Group with an id that contains "\" should return an error.
+        {
+            setRequestContext(networkOne.getId(), networkAdmin, DEFAULT_ADMIN_PWD);
+
+            Group group = new Group();
+            group.setId("te\\st");
+            groupsProxy.createGroup(group, null, HttpServletResponse.SC_BAD_REQUEST);
+        }
+
        // Create subgroup with invalid parent.
        {
            setRequestContext(networkOne.getId(), networkAdmin, DEFAULT_ADMIN_PWD);
--- a/src/test/java/org/alfresco/rest/api/tests/TestPeople.java
+++ b/src/test/java/org/alfresco/rest/api/tests/TestPeople.java
@@ -609,6 +609,25 @@ public class TestPeople extends AbstractBaseApiTest
        }
    }

+    /**
+     * Created for REPO-1882, '\\', '\r' and '\n' marked as invalid character for personId
+     */
+    @Test
+    public void testCreatePersonWithInvalidCharacter () throws Exception
+    {
+        publicApiClient.setRequestContext(new RequestContext(account1.getId(), account1Admin, "admin"));
+
+        Person person = new Person();
+        String personId = UUID.randomUUID().toString()+"\\";
+        person.setUserName(personId);
+        person.setFirstName("Joe");
+        person.setEmail(personId+"@"+account1.getId());
+        person.setEnabled(true);
+        person.setPassword("password123");
+
+        people.create(person, 400);
+    }
+
    @Test
    public void testGetPerson_withCustomProps() throws PublicApiException
    {