Merge pull request #8581 from concourse/fix-team-name-overwritten-6-7

fix team_name overwritten bug
concourse · Oct 5, 2022 · ba88583 · ba88583
2 parents a017ce9 + 53753f8
commit ba88583
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 10 deletions.
diff --git a/atc/api/auth/check_pipeline_access_handler.go b/atc/api/auth/check_pipeline_access_handler.go
@@ -42,8 +42,8 @@ type checkPipelineAccessHandler struct {
 }
 
 func (h checkPipelineAccessHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	teamName := r.FormValue(":team_name")
-	pipelineName := r.FormValue(":pipeline_name")
+	teamName := r.URL.Query().Get(":team_name")
+	pipelineName := r.URL.Query().Get(":pipeline_name")
 
 	team, found, err := h.teamFactory.FindTeam(teamName)
 	if err != nil {

diff --git a/atc/api/pipelineserver/reject_archived_handler_factory.go b/atc/api/pipelineserver/reject_archived_handler_factory.go
@@ -29,8 +29,8 @@ type RejectArchivedHandler struct {
 }
 
 func (ra RejectArchivedHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	teamName := r.FormValue(":team_name")
-	pipelineName := r.FormValue(":pipeline_name")
+	teamName := r.URL.Query().Get(":team_name")
+	pipelineName := r.URL.Query().Get(":pipeline_name")
 
 	team, found, err := ra.teamFactory.FindTeam(teamName)
 	if err != nil {

diff --git a/atc/api/pipelineserver/scoped_handler_factory.go b/atc/api/pipelineserver/scoped_handler_factory.go
@@ -21,8 +21,8 @@ func NewScopedHandlerFactory(
 
 func (pdbh *ScopedHandlerFactory) HandlerFor(pipelineScopedHandler func(db.Pipeline) http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		teamName := r.FormValue(":team_name")
-		pipelineName := r.FormValue(":pipeline_name")
+		teamName := r.URL.Query().Get(":team_name")
+		pipelineName := r.URL.Query().Get(":pipeline_name")
 
 		pipeline, ok := r.Context().Value(auth.PipelineContextKey).(db.Pipeline)
 		if !ok {

diff --git a/atc/api/pipelineserver/scoped_handler_factory_test.go b/atc/api/pipelineserver/scoped_handler_factory_test.go
@@ -5,6 +5,8 @@ import (
 	"errors"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
+	"strings"
 
 	"github.com/concourse/concourse/atc/api/auth"
 	"github.com/concourse/concourse/atc/api/pipelineserver"
@@ -107,6 +109,28 @@ var _ = Describe("Handler", func() {
 				Expect(dbTeamFactory.FindTeamArgsForCall(0)).To(Equal("some-team"))
 			})
 
+			Context("when the request has team name in body with content-type application/x-www-form-urlencoded", func() {
+				JustBeforeEach(func() {
+					body := url.Values{
+						":team_name": {"some-other-team"},
+					}
+
+					request, err := http.NewRequest("POST", server.URL+"?:team_name=some-team&:pipeline_name=some-pipeline", strings.NewReader(body.Encode()))
+					Expect(err).NotTo(HaveOccurred())
+
+					request.Header.Add("Content-type", "application/x-www-form-urlencoded")
+
+					response, err = new(http.Client).Do(request)
+					Expect(err).NotTo(HaveOccurred())
+				})
+
+				It("looks up the team by the team name in URL", func() {
+					Expect(dbTeamFactory.FindTeamCallCount()).To(Equal(2))
+					Expect(dbTeamFactory.FindTeamArgsForCall(1)).To(Equal("some-team"))
+
+				})
+			})
+
 			Context("when the pipeline exists", func() {
 				BeforeEach(func() {
 					fakePipeline.NameReturns("some-pipeline")

diff --git a/atc/api/policychecker/checker.go b/atc/api/policychecker/checker.go
@@ -47,7 +47,7 @@ func (c *checker) Check(action string, acc accessor.Access, req *http.Request) (
 		return policy.PassedPolicyCheck(), nil
 	}
 
-	team := req.FormValue(":team_name")
+	team := req.URL.Query().Get(":team_name")
 	input := policy.PolicyCheckInput{
 		HttpMethod: req.Method,
 		Action:     action,

diff --git a/atc/api/policychecker/checker_test.go b/atc/api/policychecker/checker_test.go
@@ -148,7 +148,7 @@ var _ = Describe("PolicyChecker", func() {
 			Context("when every is ok", func() {
 				BeforeEach(func() {
 					fakeAccess.TeamRolesReturns(map[string][]string{
-						"some-team": []string{"some-role"},
+						"some-team": {"some-role"},
 					})
 					fakeAccess.ClaimsReturns(accessor.Claims{UserName: "some-user"})
 					body := bytes.NewBuffer([]byte("a: b"))

diff --git a/atc/api/team_scoped_handler_factory.go b/atc/api/team_scoped_handler_factory.go
@@ -30,7 +30,7 @@ func (f *TeamScopedHandlerFactory) HandlerFor(teamScopedHandler func(db.Team) ht
 		logger := f.logger.Session("team-scoped-handler")
 		acc := accessor.GetAccessor(r)
 
-		teamName := r.FormValue(":team_name")
+		teamName := r.URL.Query().Get(":team_name")
 
 		if acc.IsAuthorized(teamName) {
 			team, found, err := f.teamFactory.FindTeam(teamName)

diff --git a/atc/api/teamserver/set.go b/atc/api/teamserver/set.go
@@ -24,7 +24,7 @@ func (s *Server) SetTeam(w http.ResponseWriter, r *http.Request) {
 
 	acc := accessor.GetAccessor(r)
 
-	teamName := r.FormValue(":team_name")
+	teamName := r.URL.Query().Get(":team_name")
 
 	var atcTeam atc.Team
 	err := json.NewDecoder(r.Body).Decode(&atcTeam)