Merge pull request #384 from owncloud/validate-guests-emails

Use rawurldecode for allowing "+" in guests emails
owncloud · Mar 4, 2020 · 3d8abc0 · 3d8abc0
2 parents ceb68cb + 0bd4d32
commit 3d8abc0
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 27 deletions.
diff --git a/lib/Controller/UsersController.php b/lib/Controller/UsersController.php
@@ -114,7 +114,7 @@ public function __construct(
 	 */
 	public function create($email, $displayName) {
 		$errorMessages = [];
-		$email = \trim(\urldecode($email));
+		$email = \trim(\rawurldecode($email));
 		$username = \strtolower($email);
 
 		if (empty($email) || !$this->mailer->validateMailAddress($email)) {

diff --git a/tests/acceptance/features/apiGuests/guests.feature b/tests/acceptance/features/apiGuests/guests.feature
@@ -5,10 +5,17 @@ Feature: Guests
     Given using OCS API version "1"
     And using new dav path
 
-  Scenario: Creating a guest user works fine
-    When the administrator creates guest user "guest" with email "[email protected]" using the API
+  @skipOnOcV10.3
+  Scenario Outline: Creating a guest user works fine
+    When the administrator creates guest user "<user>" with email "<email-address>" using the API
     Then the HTTP status code should be "201"
-    And user "guest" should be a guest user
+    And user "<user>" should be a guest user
+    And the email address of user "<email-address>" should be "<email-address>"
+    Examples:
+      | email-address                  | user                 |
+      | guest@example.com              | guest                |
+      | john.smith@email.com           | john.smith           |
+      | betty_anne+bob-burns@email.com | betty_anne+bob-burns |
 
   Scenario: Cannot create a guest if a user with the same email address exists
     Given user "existing-user" has been created with default attributes and skeleton files
@@ -36,16 +43,22 @@ Feature: Guests
     And as "[email protected]" file "/textfile.txt" should not exist
     And as "user0" file "/textfile.txt" should not exist
 
-  @mailhog
-  Scenario: A guest user can upload files to a folder shared with them
+  @mailhog @skipOnOcV10.3
+  Scenario Outline: A guest user can upload files to a folder shared with them
     Given user "user0" has been created with default attributes and skeleton files
-    And the administrator has created guest user "guest" with email "[email protected]"
+    And the administrator has created guest user "<user>" with email "<email-address>"
     And the HTTP status code should be "201"
     And user "user0" has created folder "/tmp"
-    And user "user0" has shared folder "/tmp" with user "[email protected]"
-    And guest user "guest" has registered
-    When user "[email protected]" uploads file "textfile.txt" from the guests test data folder to "/tmp/textfile.txt" using the WebDAV API
+    And user "user0" has shared folder "/tmp" with user "<email-address>"
+    And guest user "<user>" has registered
+    When user "<email-address>" uploads file "textfile.txt" from the guests test data folder to "/tmp/textfile.txt" using the WebDAV API
     Then the HTTP status code should be "201"
+    And as "user0" file "/tmp/textfile.txt" should exist
+    Examples:
+      | email-address                  | user                 |
+      | guest@example.com              | guest                |
+      | john.smith@email.com           | john.smith           |
+      | betty_anne+bob-burns@email.com | betty_anne+bob-burns |
 
   @mailhog
   Scenario: A guest user can upload chunked files to a folder shared with them

diff --git a/tests/acceptance/features/bootstrap/GuestsContext.php b/tests/acceptance/features/bootstrap/GuestsContext.php
@@ -24,6 +24,7 @@
 use Behat\Behat\Context\Context;
 use Behat\Behat\Context\SnippetAcceptingContext;
 use Behat\Behat\Hook\Scope\BeforeScenarioScope;
+use PHPUnit\Framework\Assert;
 use TestHelpers\EmailHelper;
 use TestHelpers\HttpRequestHelper;
 use TestHelpers\SetupHelper;
@@ -126,7 +127,7 @@ private function setCSRFDotDisabledFromGuestsScenario($setting) {
 	 * @return string
 	 */
 	public function prepareUserNameAsFrontend($guestEmail) {
-		return \strtolower(\trim(\urldecode($guestEmail)));
+		return \str_replace('+', '%2B', \strtolower(\trim($guestEmail)));
 	}
 
 	/**
@@ -265,7 +266,7 @@ public function userCreatesAGuestUser(
 		$userName = $this->prepareUserNameAsFrontend($guestEmail);
 		$fullUrl
 			= $fullUrl
-			. "?displayName=$guestDisplayName&email=$guestEmail&username=$userName";
+			. "?displayName=$guestDisplayName&email=$userName&username=$userName";
 
 		$headers = [];
 		$headers['Content-Type'] = 'application/x-www-form-urlencoded';
@@ -382,6 +383,11 @@ public function theAdministratorCreatesAGuestUser(
 	 * @return void
 	 */
 	public function checkGuestUser($guestDisplayName) {
+		Assert::assertArrayHasKey(
+			$guestDisplayName,
+			$this->createdGuests,
+			__METHOD__ . " guest user '$guestDisplayName' has not been successfully created by this scenario"
+		);
 		$userName = $this->prepareUserNameAsFrontend(
 			$this->createdGuests[$guestDisplayName]
 		);
@@ -462,9 +468,7 @@ public function getRegistrationUrl($address) {
 	 */
 	public function registerGuestUser($guestDisplayName, $password = null) {
 		$oldCSRFSetting = $this->disableCSRFFromGuestsScenario();
-		$userName = $this->prepareUserNameAsFrontend(
-			$this->createdGuests[$guestDisplayName]
-		);
+		$userName = $this->createdGuests[$guestDisplayName];
 		$fullRegisterUrl = $this->getRegistrationUrl($userName);
 		$explodedFullRegisterUrl = \explode('/', $fullRegisterUrl);
 		$sizeOfExplodedFullRegisterUrl = \count($explodedFullRegisterUrl);

diff --git a/tests/acceptance/features/webUIGuests/guests.feature b/tests/acceptance/features/webUIGuests/guests.feature
@@ -27,12 +27,17 @@ Feature: Guests
     Then the user should be redirected to a webUI page with the title "%productname%"
     And a warning should be displayed on the set-password-page saying "The token is invalid"
 
-  @mailhog @skipOnOcV10.2
-  Scenario: User uses valid email to create a guest user
+  @mailhog @skipOnOcV10.2 @skipOnOcV10.3
+  Scenario Outline: User uses valid email to create a guest user
     Given user "user0" has been created with default attributes and skeleton files
     And user "user0" has logged in using the webUI
-    When the user shares file "data.zip" with guest user with email "[email protected]" using the webUI
-    Then user "[email protected]" should exist
+    When the user shares file "data.zip" with guest user with email "<email-address>" using the webUI
+    Then user "<email-address>" should exist
+    Examples:
+      | email-address                  |
+      | valid@email.com                |
+      | John.Smith@email.com           |
+      | Betty_Anne+Bob-Burns@email.com |
 
   @mailhog
   Scenario: User uses some random string email to create a guest user
@@ -78,15 +83,15 @@ Feature: Guests
     And user "[email protected]" should exist
     # And user "[email protected]" should not exist
 
-  @mailhog @issue-332 @skipOnOcV10.2 @skipOnFIREFOX
+  @mailhog @skipOnOcV10.2 @skipOnFIREFOX
   Scenario: Administrator changes the guest user's password in users menu
     Given user "admin" has uploaded file with content "new content" to "new-file.txt"
     And the administrator has logged in using the webUI
     And the user shares file "new-file.txt" with guest user with email "[email protected]" using the webUI
     And the administrator has browsed to the users page
     When the administrator changes the password of user "[email protected]" to "newpassword" using the webUI
-    #Then notifications should be displayed on the webUI with the text
-    #  | Password successfully changed |
+    Then notifications should be displayed on the webUI with the text
+      | Password successfully changed |
     When the administrator logs out of the webUI
     And the user logs in with username "[email protected]" and password "newpassword" using the webUI
     Then the user should be redirected to a webUI page with the title "Files - %productname%"
@@ -139,17 +144,23 @@ Feature: Guests
     And user "[email protected]" logs in using the webUI
     Then the user should not have permission to upload or create files
 
-  @mailhog
-  Scenario: Guest user is able to upload or create files inside the received share(with change permission)
+  @mailhog @skipOnOcV10.3
+  Scenario Outline: Guest user is able to upload or create files inside the received share(with change permission)
     Given user "user0" has been created with default attributes and skeleton files
     And user "user0" has logged in using the webUI
-    When the user shares folder "simple-folder" with guest user with email "[email protected]" using the webUI
+    When the user shares folder "simple-folder" with guest user with email "<email-address>" using the webUI
     And the user logs out of the webUI
-    And guest user "[email protected]" registers with email "[email protected]" and sets password to "password" using the webUI
-    And user "[email protected]" logs in using the webUI
+    And guest user "<email-address>" registers with email "<email-address>" and sets password to "password" using the webUI
+    And user "<email-address>" logs in using the webUI
     And the user opens folder "simple-folder" using the webUI
     And the user uploads file "new-lorem.txt" using the webUI
     Then file "new-lorem.txt" should be listed on the webUI
+    And as "user0" file "/simple-folder/new-lorem.txt" should exist
+    Examples:
+      | email-address                  |
+      | guest@example.com              |
+      | John.Smith@email.com           |
+      | Betty_Anne+Bob-Burns@email.com |
 
   @mailhog
   Scenario: Guest user tries to upload or create files inside the received share(read only permission)