[full-ci] Bugfix: Disallow creation of a group with empty name via the OCS api

changelog/unreleased/fix-create-group-without-name.md

@@ -0,0 +1,10 @@
+Bugfix: Disallow creation of a group with empty name via the OCS api
+
+We've fixed the behavior for group creation on the OCS api, where it was
+possible to create a group with an empty name. This was is not possible
+on oC10 and is therefore also forbidden on oCIS to keep compatibility.
+This PR forbids the creation and also ensures the correct status code
+for both OCS v1 and OCS v2 apis.
+
+https://github.com/owncloud/ocis/pull/2825
+https://github.com/owncloud/ocis/issues/2823

ocs/pkg/service/v0/groups.go

@@ -272,11 +272,27 @@ func (o Ocs) ListGroups(w http.ResponseWriter, r *http.Request) {
 }
 
 // AddGroup adds a group
+// oC10 implementation: https://github.com/owncloud/core/blob/762780a23c9eadda4fb5fa8db99eba66a5100b6e/apps/provisioning_api/lib/Groups.php#L126-L154
 func (o Ocs) AddGroup(w http.ResponseWriter, r *http.Request) {
 	groupid := r.PostFormValue("groupid")
 	displayname := r.PostFormValue("displayname")
 	gid := r.PostFormValue("gidnumber")
 
+	if displayname == "" && groupid == "" {
+		code := data.MetaFailure.StatusCode // v1
+		if response.APIVersion(r.Context()) == "2" {
+			code = data.MetaBadRequest.StatusCode
+		}
+		render.Render(w, r, response.ErrRender(code, "No groupid or display name provided"))
+		return
+	}
+
+	if displayname == "" {
+		// oC10 OCS does not know about a group displayname
+		// therefore we fall back to the oC10 parameter groupid (which is the groupname in the oC10 world)
+		displayname = groupid
+	}
+
 	var gidNumber int64
 	var err error
 
@@ -289,10 +305,6 @@ func (o Ocs) AddGroup(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if displayname == "" {
-		displayname = groupid
-	}
-
 	newGroup := &accounts.Group{
 		Id:                       groupid,
 		DisplayName:              displayname,

tests/acceptance/expected-failures-API-on-OCIS-storage.md

@@ -983,10 +983,6 @@ _ocs: api compatibility, return correct status code_
 -   [apiProvisioningGroups-v1/addGroup.feature:134](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioningGroups-v1/addGroup.feature#L134)
 -   [apiProvisioningGroups-v2/addGroup.feature:129](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioningGroups-v2/addGroup.feature#L129)
 
-#### [creating a group with empty name doesn't give an error](https://github.com/owncloud/ocis/issues/2823)
--   [apiProvisioningGroups-v1/addGroup.feature:181](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioningGroups-v1/addGroup.feature#L181)
--   [apiProvisioningGroups-v2/addGroup.feature:177](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioningGroups-v2/addGroup.feature#L177)
-
 #### [cannot create group with '/'](https://github.com/owncloud/product/issues/285)
 -   [apiProvisioningGroups-v1/addToGroup.feature:82](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioningGroups-v1/addToGroup.feature#L82)
 -   [apiProvisioningGroups-v1/deleteGroup.feature:85](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioningGroups-v1/deleteGroup.feature#L85)