Getting basic regex in place to make sure role names can be IDs.

2024-07-11 01:06:04 +12:00 · 2023-06-21 17:08:54 +01:00 · 2023-06-21 17:08:54 +01:00 · 45120c60ba
parent e0debf8d25
commit 45120c60ba
2 changed files with 19 additions and 6 deletions
--- a/packages/builder/src/components/backend/DataTable/modals/EditRoles.svelte
+++ b/packages/builder/src/components/backend/DataTable/modals/EditRoles.svelte
@ -12,15 +12,14 @@
  let selectedRole = BASE_ROLE
  let errors = []
  let builtInRoles = ["Admin", "Power", "Basic", "Public"]
+  let validRegex = /^[a-zA-Z0-9_]*$/
  // Don't allow editing of public role
  $: editableRoles = $roles.filter(role => role._id !== "PUBLIC")
  $: selectedRoleId = selectedRole._id
  $: otherRoles = editableRoles.filter(role => role._id !== selectedRoleId)
  $: isCreating = selectedRoleId == null || selectedRoleId === ""

-  $: hasUniqueRoleName = !otherRoles
-    ?.map(role => role.name)
-    ?.includes(selectedRole.name)
+  $: roleNameError = getRoleNameError(selectedRole.name)

  $: valid =
    selectedRole.name &&
@ -101,6 +100,20 @@
    }
  }

+  const getRoleNameError = name => {
+    const hasUniqueRoleName = !otherRoles
+      ?.map(role => role.name)
+      ?.includes(name)
+    const invalidRoleName = !validRegex.test(name)
+    if (!hasUniqueRoleName) {
+      return "Select a unique role name."
+    } else if (invalidRoleName) {
+      return "Please enter a role name consisting of only alphanumeric symbols and underscores"
+    } else {
+      return null
+    }
+  }
+
  onMount(fetchBasePermissions)
 </script>

@ -108,7 +121,7 @@
  title="Edit Roles"
  confirmText={isCreating ? "Create" : "Save"}
  onConfirm={saveRole}
-  disabled={!valid || !hasUniqueRoleName}
+  disabled={!valid || roleNameError}
 >
  {#if errors.length}
    <ErrorsBox {errors} />
@ -129,7 +142,7 @@
      label="Name"
      bind:value={selectedRole.name}
      disabled={shouldDisableRoleInput}
-      error={!hasUniqueRoleName ? "Select a unique role name." : null}
+      error={roleNameError}
    />
    <Select
      label="Inherits Role"
--- a/packages/server/src/api/routes/utils/validators.ts
+++ b/packages/server/src/api/routes/utils/validators.ts
@ -134,7 +134,7 @@ export function roleValidator() {
  return auth.joiValidator.body(Joi.object({
    _id: OPTIONAL_STRING,
    _rev: OPTIONAL_STRING,
-    name: Joi.string().required(),
+    name: Joi.string().regex(/^[a-zA-Z0-9_]*$/).required(),
    // this is the base permission ID (for now a built in)
    permissionId: Joi.string().valid(...Object.values(permissions.BuiltinPermissionID)).required(),
    permissions: Joi.object()