[MAGNOLIA-6696] Allow ' characters in Usernames: the username in MgnlUserManager.getUser(String) needs to be properly escaped Created: 15/Jun/16  Updated: 09/Feb/17  Resolved: 25/Jul/16

Status: Closed
Project: Magnolia
Component/s: security
Affects Version/s: 5.3.14, 5.4.6, 5.4.7
Fix Version/s: 5.3.16, 5.4.8, 5.5

Type: Bug Priority: Major
Reporter: Christian Ringele Assignee: Oanh Thai Hoang
Resolution: Fixed Votes: 0
Labels: support
Remaining Estimate: 0d
Time Spent: 2.25d
Original Estimate: 3d

Attachments: Text File MgnlUserManager.patch     PNG File PublicUSerTest-OnDemo.png    
Issue Links:
causality
Template:
Patch included:
Yes
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Release notes required:
Yes
Date of First Response:
Sprint: Saigon 54
Story Points: 5

 Description   

We allow ' character in JCR user nodes.
So we need to escape properly the user name, as it us used in queries to fetch the user in:
info.magnolia.cms.security.RepositoryBackedSecurityManager.findPrincipalNodeByQuery(String, Session, String, Node)

Especially for public users (and when having Scottish users) the ' character is used a lot and needed.

Here with a test user named "test'test".

ERROR info.magnolia.cms.security.MgnlUserManager 15.06.2016 16:39:42 – Could not retrieve user with name: simon_o'connell@westpac.co.nz
javax.jcr.query.InvalidQueryException: Query:
select * from [mgnl:user] where name() = 'test'test' and isdescendantnode(['/public(*)'])
at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:978)
at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:959)
at org.apache.jackrabbit.commons.query.sql2.Parser.checkRunOver(Parser.java:773)
at

Or the bold part will be interpreted as query:
...name() = 'test'test' and isdescendantnode...

I added a patch with an escape method used for the user name.
Maybe one sees more cases to escape.

Group names can't have ' characters, so I'm not escaping the groupname.



 Comments   
Comment by Jan Haderka [ 14/Jul/16 ]

info.magnolia.util.EscapeUtil might be better than introducing special method.

Comment by Oanh Thai Hoang [ 20/Jul/16 ]

HI cringele,

When reading your patch, I can see your cases includes some characters that considering as Non-JCR Name (https://docs.adobe.com/content/docs/en/spec/jcr/2.0/3_Repository_Model.html#3.2.5.4%20Exposing%20Non-JCR%20Names). We won't support to create user name with those characters anyway, shall we?

Comment by Christian Ringele [ 20/Jul/16 ]

The patch was just quickly made for solving the customers problem.
Its not production ready.

I assume you cordinate with had or pmundt the prefered way to implement it.
Jan already did a suggestion.

Regards,
Christian

Generated at Mon Feb 12 04:16:58 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.