Mercurial > gemma

diff pkg/controllers/user.go @ 418:c70ddc6eb168

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Don't allow user names to contain any of the following characters \"':;
author Sascha L. Teichmann <sascha.teichmann@intevation.de>
date Thu, 16 Aug 2018 13:14:46 +0200
parents c1047fd04a3a
children c49f4c1808b1
line wrap: on
line diff
--- a/pkg/controllers/user.go	Thu Aug 16 10:42:30 2018 +0200
+++ b/pkg/controllers/user.go	Thu Aug 16 13:14:46 2018 +0200
@@ -94,9 +94,9 @@
 	db *sql.DB,
 ) (jr JSONResult, err error) {
 
-	user := mux.Vars(req)["user"]
-	if user == "" {
-		err = JSONError{http.StatusBadRequest, "error: user empty"}
+	user := UserName(mux.Vars(req)["user"])
+	if user == "" || !user.isValid() {
+		err = JSONError{http.StatusBadRequest, "error: user invalid"}
 		return
 	}
 
@@ -156,7 +156,7 @@
 
 	if user != newUser.User {
 		// Running in a go routine should not be necessary.
-		go func() { auth.ConnPool.Logout(user) }()
+		go func() { auth.ConnPool.Logout(string(user)) }()
 	}
 
 	jr = JSONResult{
@@ -253,9 +253,9 @@
 	db *sql.DB,
 ) (jr JSONResult, err error) {
 
-	user := mux.Vars(req)["user"]
-	if user == "" {
-		err = JSONError{http.StatusBadRequest, "error: user empty"}
+	user := UserName(mux.Vars(req)["user"])
+	if user == "" || !user.isValid() {
+		err = JSONError{http.StatusBadRequest, "error: user invalid"}
 		return
 	}