Skip to content

Commit

Permalink
fix: check target user, allow \wadmin\w names but not admin itself [W…
Browse files Browse the repository at this point in the history 
…EB-529] (#5251)

* fix: check target user, allow names including admin but not admin itself
  • Loading branch information
@mapmeld
mapmeld authored Oct 13, 2022
1 parent 2fee696 commit 21355bf
Showing 1 changed file with 3 additions and 5 deletions.
8 changes: 3 additions & 5 deletions master/internal/api_user.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -304,7 +304,6 @@ func (a *apiServer) PatchUser(
return nil, status.Error(codes.PermissionDenied, err.Error())
}

// TODO: handle any field name:
if req.User.DisplayName != nil {
if err = user.AuthZProvider.Get().CanSetUsersDisplayName(*curUser, targetUser); err != nil {
if ok, canGetErr := user.AuthZProvider.Get().
Expand All @@ -325,12 +324,11 @@ func (a *apiServer) PatchUser(
re := regexp.MustCompile("[^\\p{Latin}\\p{N}\\s]")
displayName := re.ReplaceAllLiteralString(req.User.DisplayName.Value, "")
// Restrict 'admin' and 'determined' in display names.
if !(curUser.Admin && curUser.ID == uid) && strings.Contains(strings.ToLower(displayName),
"admin") {
if !targetUser.Admin && (strings.TrimSpace(strings.ToLower(displayName)) == "admin") {
return nil, status.Error(codes.InvalidArgument, "Non-admin user cannot be renamed 'admin'")
}
if curUser.Username != "determined" && strings.Contains(strings.ToLower(displayName),
"determined") {
if targetUser.Username != displayName &&
(strings.TrimSpace(strings.ToLower(displayName)) == "determined") {
return nil, status.Error(codes.InvalidArgument, "User cannot be renamed 'determined'")
}
err = a.m.db.QueryProto("set_user_display_name", u, req.UserId, strings.TrimSpace(displayName))
Expand Down

0 comments on commit 21355bf

Please sign in to comment.