diff --git a/rdiffweb/controller/page_admin_users.py b/rdiffweb/controller/page_admin_users.py index 662059dc..b6d4e72d 100644 --- a/rdiffweb/controller/page_admin_users.py +++ b/rdiffweb/controller/page_admin_users.py @@ -76,7 +76,13 @@ class UserForm(CherryForm): validators.length(max=256, message=_('Username too long.')), ], ) - fullname = StringField(_('Fullname'), validators=[validators.optional()]) + fullname = StringField( + _('Fullname'), + validators=[ + validators.optional(), + validators.length(max=256, message=_('Fullname too long.')), + ], + ) email = EmailField( _('Email'), validators=[ diff --git a/rdiffweb/controller/page_pref_general.py b/rdiffweb/controller/page_pref_general.py index 05f003d8..fee69500 100644 --- a/rdiffweb/controller/page_pref_general.py +++ b/rdiffweb/controller/page_pref_general.py @@ -25,7 +25,7 @@ import cherrypy from wtforms.fields import HiddenField, PasswordField, StringField, SubmitField from wtforms.fields.html5 import EmailField -from wtforms.validators import DataRequired, EqualTo, InputRequired, Length, Regexp +from wtforms.validators import DataRequired, EqualTo, InputRequired, Length, Optional, Regexp from rdiffweb.controller import Controller, flash from rdiffweb.controller.form import CherryForm @@ -40,7 +40,13 @@ class UserProfileForm(CherryForm): action = HiddenField(default='set_profile_info') username = StringField(_('Username'), render_kw={'readonly': True}) - fullname = StringField(_('Fullname')) + fullname = StringField( + _('Fullname'), + validators=[ + Optional(), + Length(max=256, message=_('Fullname too long.')), + ], + ) email = EmailField( _('Email'), validators=[ diff --git a/rdiffweb/controller/page_pref_tokens.py b/rdiffweb/controller/page_pref_tokens.py index a1931d22..f961587e 100644 --- a/rdiffweb/controller/page_pref_tokens.py +++ b/rdiffweb/controller/page_pref_tokens.py @@ -20,7 +20,7 @@ import cherrypy from wtforms.fields import DateField, HiddenField, StringField, SubmitField -from wtforms.validators import DataRequired, Optional +from wtforms.validators import DataRequired, Length, Optional from rdiffweb.controller import Controller, flash from rdiffweb.controller.filter_authorization import is_maintainer @@ -38,7 +38,10 @@ class TokenForm(CherryForm): description=_( 'Used only to identify the purpose of the token. For example, the application that uses the token.' ), - validators=[DataRequired()], + validators=[ + DataRequired(), + Length(max=256, message=_('Token name too long')), + ], ) expiration = DateField( _('Expiration date'), diff --git a/rdiffweb/controller/tests/test_page_admin_users.py b/rdiffweb/controller/tests/test_page_admin_users.py index 18edefa6..c35b9c48 100644 --- a/rdiffweb/controller/tests/test_page_admin_users.py +++ b/rdiffweb/controller/tests/test_page_admin_users.py @@ -58,7 +58,7 @@ def _store_quota(self, userobj, value): def _load_quota(self, userobj): return self._quota.get(userobj.username, 0) - def _add_user(self, username=None, email=None, password=None, user_root=None, role=None, mfa=None): + def _add_user(self, username=None, email=None, password=None, user_root=None, role=None, mfa=None, fullname=None): b = {} b['action'] = 'add' if username is not None: @@ -73,6 +73,8 @@ def _add_user(self, username=None, email=None, password=None, user_root=None, ro b['role'] = str(role) if mfa is not None: b['mfa'] = str(mfa) + if fullname is not None: + b['fullname'] = str(fullname) self.getPage("/admin/users/", method='POST', body=b) def _edit_user( @@ -275,6 +277,15 @@ def test_add_with_user_root_too_long(self): self.assertStatus(200) self.assertInBody("Root directory too long.") + def test_add_with_fullname_too_long(self): + # Given a too long user root + fullname = "fullname" * 50 + # When trying to create the user + self._add_user("test2", "test@test,com", "password", "/tmp/", UserObject.USER_ROLE, fullname=fullname) + # Then an error is raised + self.assertStatus(200) + self.assertInBody("Fullname too long.") + def test_delete_user_with_not_existing_username(self): """ Verify failure to delete invalid username. diff --git a/rdiffweb/controller/tests/test_page_prefs_general.py b/rdiffweb/controller/tests/test_page_prefs_general.py index 14885f78..d6e1b2fa 100644 --- a/rdiffweb/controller/tests/test_page_prefs_general.py +++ b/rdiffweb/controller/tests/test_page_prefs_general.py @@ -109,6 +109,18 @@ def test_change_fullname_method_get(self): user = UserObject.query.filter(UserObject.username == self.USERNAME).first() self.assertEqual("", user.fullname) + def test_change_fullname_too_long(self): + # Given an authenticated user + # When update the fullname + self._set_profile_info("test@test.com", "Fullname" * 50) + # Then page return with error message + self.assertStatus(200) + self.assertNotInBody("Profile updated successfully.") + self.assertInBody("Fullname too long.") + # Then database is not updated + user = UserObject.query.filter(UserObject.username == self.USERNAME).first() + self.assertEqual("", user.fullname) + def test_change_email(self): self._set_profile_info("test@test.com") self.assertStatus(200) diff --git a/rdiffweb/controller/tests/test_page_prefs_tokens.py b/rdiffweb/controller/tests/test_page_prefs_tokens.py index 48fc573c..5f7e24b1 100644 --- a/rdiffweb/controller/tests/test_page_prefs_tokens.py +++ b/rdiffweb/controller/tests/test_page_prefs_tokens.py @@ -78,6 +78,19 @@ def test_add_access_token_without_name(self): # Then access token is not created self.assertEqual(0, Token.query.filter(Token.userid == userobj.userid, Token.name == 'test-token-name').count()) + def test_add_access_token_with_name_too_long(self): + # Given an existing user + # When adding a new access token with name too long. + self.getPage( + "/prefs/tokens", + method='POST', + body={'action': 'add_access_token', 'name': 'token' * 52, 'expiration_time': ''}, + ) + # Then page return with error message + self.assertStatus(200) + # Then token name get displayed in the view + self.assertInBody('Token name too long') + def test_delete_access_token(self): # Given an existing user with access_token userobj = UserObject.get_user(self.USERNAME)