Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escaping username/roles parameters to allow usernames/roles with special characters. #3570

Merged
merged 4 commits into from Mar 7, 2017
Merged

Escaping username/roles parameters to allow usernames/roles with special characters. #3570

merged 4 commits into from Mar 7, 2017

Conversation

dennisoelkers
Copy link
Member

@dennisoelkers dennisoelkers commented Mar 6, 2017
edited

Description

Motivation and Context

Before this change it was possible to create user/role names containing one or more slashes or other special characters, but it was not possible to delete them afterwards from the web interface.

After this change, the user/role name used to construct the URL to the backend is escaped properly, so deletions suceed even if the user/role name contains one or more special characters.

Fixes #3569. Should also be merged into 2.2.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@dennisoelkers dennisoelkers added this to the 2.3.0 milestone Mar 6, 2017
@dennisoelkers dennisoelkers changed the title Escaping username component to allow usernames with slash. Escaping username/roles parameters to allow usernames/roles with special characters. Mar 6, 2017
joschi
joschi reviewed Mar 6, 2017
View reviewed changes
Copy link
Contributor

@joschi joschi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basically a question of style, but shouldn't the call to encodeURIComponent be added to the routes in Routes.jsx instead to every occurrence in other source locations?
That way it can't be forgotten by other authors.

@joschi joschi self-assigned this Mar 6, 2017
@dennisoelkers
Copy link
Member Author

I totally understand your question and had the same idea at first. Unfortunately we cannot do it that way, because we also use those routes to generate the route map for our application and reuse the parameters with placeholders (:username etc.) to generate dynamic routes for react-router. So fixing it this way was the least intrusive way for now. I would like to spend some time to think about how to refactor it properly though, but this would be a bit beyond the scope of this PR. Thanks for the input!

joschi
joschi suggested changes Mar 7, 2017
View reviewed changes
Copy link
Contributor

@joschi joschi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There still seem to be some places missing.

For example I'm unable to log in with a user named "foo/bar".

The Chrome Console shows the following error message:

There was an error fetching a resource: cannot GET http://127.0.0.1:9000/api/users/foo/bar (404). Additional information: HTTP 404 Not Found

Unhandled rejection Error: cannot GET http://127.0.0.1:9000/api/users/foo/bar (404)

@dennisoelkers
Copy link
Member Author

✅, also rebased to current master.

joschi
joschi approved these changes Mar 7, 2017
View reviewed changes
Copy link
Contributor

@joschi joschi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. 👍

@joschi joschi merged commit 34446c2 into master Mar 7, 2017
@joschi joschi deleted the issue-3569 branch March 7, 2017 14:10
dennisoelkers added a commit that referenced this pull request Mar 7, 2017
@dennisoelkers
Properly escape username/roles in web interface (#3570)
63cb44a 
* Escaping username component to allow usernames with slash.
* Allowing to handle deletion/updates of roles with special characters.
* Allowing editing/updating/deleting users with special characters in name
* Using proper route methods, escaping username in CurrentUserStore.

Fixes #3569

(cherry picked from commit 34446c2)
@dennisoelkers dennisoelkers mentioned this pull request Mar 7, 2017
Merged
9 tasks
joschi pushed a commit that referenced this pull request Mar 7, 2017
@dennisoelkers @joschi
Properly escape username/roles in web interface (#3588)
f9a9d2b 
* Escaping username component to allow usernames with slash.
* Allowing to handle deletion/updates of roles with special characters.
* Allowing editing/updating/deleting users with special characters in name
* Using proper route methods, escaping username in CurrentUserStore.

Fixes #3569

(cherry picked from commit 34446c2 / PR #3570)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joschi joschi joschi approved these changes

Assignees

@joschi joschi

Labels
bug users web
Projects
None yet
Milestone
2.3.0
Development

Successfully merging this pull request may close these issues.

Add user role name with slash "/"
2 participants
@dennisoelkers @joschi