From 5097d02cc2c3b12c45f07f6d41662ed2463688eb Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Thu, 10 Sep 2020 11:29:59 +0300 Subject: [PATCH] Fixed param validation --- CHANGES.md | 1 + app/controllers/api/teams.php | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 6ae5135ef..44fd40aec 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -68,6 +68,7 @@ - Added option to force HTTPS connection to the Appwrite server (_APP_OPTIONS_FORCE_HTTPS) - Now using your `_APP_SYSTEM_EMAIL_ADDRESS` as the email address for issuing and renewing SSL certificates - Block iframe access to Appwrite console using the `X-Frame-Options` header. +- Fixed `roles` param input validator # Version 0.6.2 (PRE-RELEASE) diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php index b1a0d0abd..34701bb13 100644 --- a/app/controllers/api/teams.php +++ b/app/controllers/api/teams.php @@ -15,6 +15,7 @@ use Appwrite\Database\Document; use Appwrite\Database\Validator\UID; use Appwrite\Database\Validator\Authorization; use Appwrite\Database\Exception\Duplicate; +use Appwrite\Database\Validator\Key; use Appwrite\Template\Template; use Appwrite\Utopia\Response; @@ -27,7 +28,7 @@ App::post('/v1/teams') ->label('sdk.method', 'create') ->label('sdk.description', '/docs/references/teams/create-team.md') ->param('name', null, function () { return new Text(128); }, 'Team name. Max length: 128 chars.') - ->param('roles', ['owner'], function () { return new ArrayList(new Text(128)); }, 'Array of strings. Use this param to set the roles in the team for the user who created it. The default role is **owner**. A role can be any string. Learn more about [roles and permissions](/docs/permissions).', true) + ->param('roles', ['owner'], function () { return new ArrayList(new Key()); }, 'Array of strings. Use this param to set the roles in the team for the user who created it. The default role is **owner**. A role can be any string. Learn more about [roles and permissions](/docs/permissions). Max length for each role is 32 chars.', true) ->action(function ($name, $roles, $response, $user, $projectDB, $mode) { /** @var Utopia\Response $response */ /** @var Appwrite\Database\Document $user */ @@ -221,7 +222,7 @@ App::post('/v1/teams/:teamId/memberships') ->param('teamId', '', function () { return new UID(); }, 'Team unique ID.') ->param('email', '', function () { return new Email(); }, 'New team member email.') ->param('name', '', function () { return new Text(128); }, 'New team member name. Max length: 128 chars.', true) - ->param('roles', [], function () { return new ArrayList(new Text(128)); }, 'Array of strings. Use this param to set the user roles in the team. A role can be any string. Learn more about [roles and permissions](/docs/permissions).') + ->param('roles', [], function () { return new ArrayList(new Key()); }, 'Array of strings. Use this param to set the user roles in the team. A role can be any string. Learn more about [roles and permissions](/docs/permissions). Max length for each role is 32 chars.') ->param('url', '', function ($clients) { return new Host($clients); }, 'URL to redirect the user back to your app from the invitation email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', false, ['clients']) // TODO add our own built-in confirm page ->action(function ($teamId, $email, $name, $roles, $url, $response, $project, $user, $projectDB, $locale, $audits, $mails, $mode) { /** @var Utopia\Response $response */