Mercurial > gemma
diff pkg/controllers/user.go @ 418:c70ddc6eb168
Don't allow user names to contain any of the following characters \"':;
author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
---|---|
date | Thu, 16 Aug 2018 13:14:46 +0200 |
parents | c1047fd04a3a |
children | c49f4c1808b1 |
line wrap: on
line diff
--- a/pkg/controllers/user.go Thu Aug 16 10:42:30 2018 +0200 +++ b/pkg/controllers/user.go Thu Aug 16 13:14:46 2018 +0200 @@ -94,9 +94,9 @@ db *sql.DB, ) (jr JSONResult, err error) { - user := mux.Vars(req)["user"] - if user == "" { - err = JSONError{http.StatusBadRequest, "error: user empty"} + user := UserName(mux.Vars(req)["user"]) + if user == "" || !user.isValid() { + err = JSONError{http.StatusBadRequest, "error: user invalid"} return } @@ -156,7 +156,7 @@ if user != newUser.User { // Running in a go routine should not be necessary. - go func() { auth.ConnPool.Logout(user) }() + go func() { auth.ConnPool.Logout(string(user)) }() } jr = JSONResult{ @@ -253,9 +253,9 @@ db *sql.DB, ) (jr JSONResult, err error) { - user := mux.Vars(req)["user"] - if user == "" { - err = JSONError{http.StatusBadRequest, "error: user empty"} + user := UserName(mux.Vars(req)["user"]) + if user == "" || !user.isValid() { + err = JSONError{http.StatusBadRequest, "error: user invalid"} return }