filter out unallowed fields in changes

Signed-off-by: Christian Richter <crichter@owncloud.com>
owncloud · Nov 14, 2023 · 03eeb54 · 03eeb54
1 parent ebde54e
commit 03eeb54
Showing 1 changed file with 29 additions and 11 deletions.
diff --git a/services/graph/pkg/service/v0/users.go b/services/graph/pkg/service/v0/users.go
@@ -649,7 +649,15 @@ func (g Graph) PatchMe(w http.ResponseWriter, r *http.Request) {
 		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "missing user id")
 		return
 	}
-	g.patchUser(w, r, userID)
+	changes := libregraph.NewUser()
+	err := StrictJSONUnmarshal(r.Body, changes)
+	if err != nil {
+		logger.Debug().Err(err).Interface("body", r.Body).Msg("could not update user: invalid request body")
+		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest,
+			fmt.Sprintf("invalid request body: %s", err.Error()))
+		return
+	}
+	g.patchUser(w, r, userID, changes)
 }
 
 // PatchUser implements the Service Interface. Updates the specified attributes of an
@@ -663,10 +671,28 @@ func (g Graph) PatchUser(w http.ResponseWriter, r *http.Request) {
 		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "unescaping user id failed")
 		return
 	}
-	g.patchUser(w, r, nameOrID)
+	changes := libregraph.NewUser()
+	err = StrictJSONUnmarshal(r.Body, changes)
+	if err != nil {
+		logger.Debug().Err(err).Interface("body", r.Body).Msg("could not update user: invalid request body")
+		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest,
+			fmt.Sprintf("invalid request body: %s", err.Error()))
+		return
+	}
+	if _, ok := changes.GetDisplayNameOk(); ok {
+		logger.Info().Interface("user", changes).Msg("could not update user: user is not allowed to change own displayname")
+		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "user is not allowed to change own displayname")
+		return
+	}
+	if _, ok := changes.GetMailOk(); ok {
+		logger.Info().Interface("user", changes).Msg("could not update user: user is not allowed to change own mail")
+		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "user is not allowed to change own mail")
+		return
+	}
+	g.patchUser(w, r, nameOrID, changes)
 }
 
-func (g Graph) patchUser(w http.ResponseWriter, r *http.Request, nameOrID string) {
+func (g Graph) patchUser(w http.ResponseWriter, r *http.Request, nameOrID string, changes *libregraph.User) {
 	logger := g.logger.SubloggerWithRequestID(r.Context())
 	logger.Debug().Msg("calling patch user")
 
@@ -691,14 +717,6 @@ func (g Graph) patchUser(w http.ResponseWriter, r *http.Request, nameOrID string
 		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "missing user id")
 		return
 	}
-	changes := libregraph.NewUser()
-	err = StrictJSONUnmarshal(r.Body, changes)
-	if err != nil {
-		logger.Debug().Err(err).Interface("body", r.Body).Msg("could not update user: invalid request body")
-		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest,
-			fmt.Sprintf("invalid request body: %s", err.Error()))
-		return
-	}
 
 	if reflect.ValueOf(*changes).IsZero() {
 		logger.Debug().Interface("body", r.Body).Msg("ignoring empty request body")