disallow creation of a group with empty name via the OCS api

changelog/unreleased/fix-create-group-without-name.md

@@ -0,0 +1,10 @@
+Bugfix: Disallow creation of a group with empty name via the OCS api
+
+We've fixed the behavior for group creation on the OCS api, where it was
+possible to create a group with an empty name. This was is not possible
+on oC10 and is therefore also forbidden on oCIS to keep compatibility.
+This PR forbids the creation and also ensures the correct status codef
+or both OCS v1 and OCS v2 apis.
+
+https://github.com/owncloud/ocis/pull/2825
+https://github.com/owncloud/ocis/issues/2823

ocs/pkg/service/v0/groups.go

@@ -272,11 +272,27 @@ func (o Ocs) ListGroups(w http.ResponseWriter, r *http.Request) {
 }
 
 // AddGroup adds a group
+// oC10 implementation: https://github.com/owncloud/core/blob/762780a23c9eadda4fb5fa8db99eba66a5100b6e/apps/provisioning_api/lib/Groups.php#L126-L154
 func (o Ocs) AddGroup(w http.ResponseWriter, r *http.Request) {
 	groupid := r.PostFormValue("groupid")
 	displayname := r.PostFormValue("displayname")
 	gid := r.PostFormValue("gidnumber")
 
+	if displayname == "" && groupid == "" {
+		code := data.MetaFailure.StatusCode // v1
+		if response.APIVersion(r.Context()) == "2" {
+			code = data.MetaBadRequest.StatusCode
+		}
+		mustNotFail(render.Render(w, r, response.ErrRender(code, "No groupid or display name provided")))
+		return
+	}
+
+	if displayname == "" {
+		// oC10 OCS does not know about a group displayname
+		// therefore we fall back to the oC10 parameter groupid (which is the groupname in the oC10 world)
+		displayname = groupid
+	}
+
 	var gidNumber int64
 	var err error
 
@@ -289,10 +305,6 @@ func (o Ocs) AddGroup(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if displayname == "" {
-		displayname = groupid
-	}
-
 	newGroup := &accounts.Group{
 		Id:                       groupid,
 		DisplayName:              displayname,