From 3799945e3ff5b4aac1d15acdd42d04ffe9cdef4e Mon Sep 17 00:00:00 2001
From: Willy Kloucek <wkloucek@owncloud.com>
Date: Fri, 26 Nov 2021 12:06:12 +0100
Subject: [PATCH] disallow creation of a group with empty name via the OCS api

---
 .../fix-create-group-without-name.md          | 10 ++++++++++
 ocs/pkg/service/v0/groups.go                  | 20 +++++++++++++++----
 2 files changed, 26 insertions(+), 4 deletions(-)
 create mode 100644 changelog/unreleased/fix-create-group-without-name.md

diff --git a/changelog/unreleased/fix-create-group-without-name.md b/changelog/unreleased/fix-create-group-without-name.md
new file mode 100644
index 00000000000..abd2eb6aafa
--- /dev/null
+++ b/changelog/unreleased/fix-create-group-without-name.md
@@ -0,0 +1,10 @@
+Bugfix: Disallow creation of a group with empty name via the OCS api
+
+We've fixed the behavior for group creation on the OCS api, where it was
+possible to create a group with an empty name. This was is not possible
+on oC10 and is therefore also forbidden on oCIS to keep compatibility.
+This PR forbids the creation and also ensures the correct status codef
+or both OCS v1 and OCS v2 apis.
+
+https://github.com/owncloud/ocis/pull/2825
+https://github.com/owncloud/ocis/issues/2823
diff --git a/ocs/pkg/service/v0/groups.go b/ocs/pkg/service/v0/groups.go
index e98e29117d5..84766a23323 100644
--- a/ocs/pkg/service/v0/groups.go
+++ b/ocs/pkg/service/v0/groups.go
@@ -272,11 +272,27 @@ func (o Ocs) ListGroups(w http.ResponseWriter, r *http.Request) {
 }
 
 // AddGroup adds a group
+// oC10 implementation: https://github.com/owncloud/core/blob/762780a23c9eadda4fb5fa8db99eba66a5100b6e/apps/provisioning_api/lib/Groups.php#L126-L154
 func (o Ocs) AddGroup(w http.ResponseWriter, r *http.Request) {
 	groupid := r.PostFormValue("groupid")
 	displayname := r.PostFormValue("displayname")
 	gid := r.PostFormValue("gidnumber")
 
+	if displayname == "" && groupid == "" {
+		code := data.MetaFailure.StatusCode // v1
+		if response.APIVersion(r.Context()) == "2" {
+			code = data.MetaBadRequest.StatusCode
+		}
+		mustNotFail(render.Render(w, r, response.ErrRender(code, "No groupid or display name provided")))
+		return
+	}
+
+	if displayname == "" {
+		// oC10 OCS does not know about a group displayname
+		// therefore we fall back to the oC10 parameter groupid (which is the groupname in the oC10 world)
+		displayname = groupid
+	}
+
 	var gidNumber int64
 	var err error
 
@@ -289,10 +305,6 @@ func (o Ocs) AddGroup(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if displayname == "" {
-		displayname = groupid
-	}
-
 	newGroup := &accounts.Group{
 		Id:                       groupid,
 		DisplayName:              displayname,