ocis icon indicating copy to clipboard operation
ocis copied to clipboard
verified publisher icon owncloud

Groups with space at the beginning or end of the name can be created with the Provisioning API

Open phil-davis opened this issue 4 years ago • 6 comments

Describe the bug

core PR https://github.com/owncloud/core/pull/39540 is improving/changing the group name validation in core. oCIS should behave the same - there should not be any space allowed at the beginning and/or end of a group name.

Steps to reproduce

Run the related new API tests:

apiProvisioningGroups-v1/addGroup.feature:158
apiProvisioningGroups-v1/addGroup.feature:166
apiProvisioningGroups-v1/addGroup.feature:174
apiProvisioningGroups-v2/addGroup.feature:154
apiProvisioningGroups-v2/addGroup.feature:162
apiProvisioningGroups-v2/addGroup.feature:170

Expected behavior

Groups with space at the start or end of the name should not be allowed to be created: " space-at-start" "space-at-end " " " Those should all be prohibited group names.

Actual behavior

Those names can be use when creating a group with the Provisioning API.

Setup

Current ocis master.

phil-davis avatar Dec 14 '21 08:12 phil-davis

Groups with space at the start or end of the name should not be allowed to be created: " space-at-start" "space-at-end "

why? I tested it on ocis-6.0.0 using graph/v1.0/groups - it's possible to create with space at the beginning or end of the name

@rhafer should we forbid it or close issue?

ScharfViktor avatar Jun 26 '24 13:06 ScharfViktor

why?

In oC10 this was discussed and it was decided that "accidents" like having a group called "finance" and another group called "finance " (with a space at the end) caused confusion, and are never intentional in real-life. ocis can, of course, decide if it wants such a limitation or not.

phil-davis avatar Jun 26 '24 14:06 phil-davis

@rhafer What is your opinion?

micbar avatar Jun 27 '24 10:06 micbar

I agree that we should not allow trailing or leading spaces in group names. It's just confusing.

rhafer avatar Jul 01 '24 10:07 rhafer

Would it be valid to just trim the name when validating the input or should there be a hard error (like 400)?

dragonchaser avatar Jul 24 '24 14:07 dragonchaser

Would it be valid to just trim the name when validating the input or should there be a hard error (like 400)?

I like the idea of auto-trimming. And then if the group already exists, an error about that will be returned. (e.g. "finance" already exists, someone tries to create "finance ", they get an error back saying "finance" already exists.

But for non-human clients - the actual code making API requests - if it sends a request to create group "HR ", gets a success response, then it will think that "HR " now exists. But actually "HR" was created. The client application is going to get confused.

phil-davis avatar Jul 24 '24 15:07 phil-davis