[MAGNOLIA-6696] Allow ' characters in Usernames: the username in MgnlUserManager.getUser(String) needs to be properly escaped Created: 15/Jun/16 Updated: 09/Feb/17 Resolved: 25/Jul/16 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | security |
| Affects Version/s: | 5.3.14, 5.4.6, 5.4.7 |
| Fix Version/s: | 5.3.16, 5.4.8, 5.5 |
| Type: | Bug | Priority: | Major |
| Reporter: | Christian Ringele | Assignee: | Oanh Thai Hoang |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | support | ||
| Remaining Estimate: | 0d | ||
| Time Spent: | 2.25d | ||
| Original Estimate: | 3d | ||
| Attachments: |
|
||||
| Issue Links: |
|
||||
| Template: |
|
||||
| Patch included: |
Yes
|
||||
| Acceptance criteria: |
Empty
|
||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||
| Release notes required: |
Yes
|
||||
| Date of First Response: | |||||
| Sprint: | Saigon 54 | ||||
| Story Points: | 5 | ||||
| Description |
|
We allow ' character in JCR user nodes. Especially for public users (and when having Scottish users) the ' character is used a lot and needed. Here with a test user named "test'test". ERROR info.magnolia.cms.security.MgnlUserManager 15.06.2016 16:39:42 – Could not retrieve user with name: simon_o'connell@westpac.co.nz javax.jcr.query.InvalidQueryException: Query: select * from [mgnl:user] where name() = 'test'test' and isdescendantnode(['/public(*)']) at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:978) at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:959) at org.apache.jackrabbit.commons.query.sql2.Parser.checkRunOver(Parser.java:773) at Or the bold part will be interpreted as query: I added a patch with an escape method used for the user name. Group names can't have ' characters, so I'm not escaping the groupname. |
| Comments |
| Comment by Jan Haderka [ 14/Jul/16 ] |
|
info.magnolia.util.EscapeUtil might be better than introducing special method. |
| Comment by Oanh Thai Hoang [ 20/Jul/16 ] |
|
HI cringele, When reading your patch, I can see your cases includes some characters that considering as Non-JCR Name (https://docs.adobe.com/content/docs/en/spec/jcr/2.0/3_Repository_Model.html#3.2.5.4%20Exposing%20Non-JCR%20Names). We won't support to create user name with those characters anyway, shall we? |
| Comment by Christian Ringele [ 20/Jul/16 ] |
|
The patch was just quickly made for solving the customers problem. I assume you cordinate with had or pmundt the prefered way to implement it. Regards, |