Merge pull request #1176 from kenjis/add-group-validation-to-user-com…

…mand fix: add missing validation for group name to `shield:user addgroup`/`removegroup`
codeigniter4 · Aug 24, 2024 · 918051a · 918051a
2 parents 4482ec7 + c003977
commit 918051a
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 0 deletions.
diff --git a/src/Commands/User.php b/src/Commands/User.php
@@ -603,6 +603,11 @@ private function addgroup($group = null, $username = null, $email = null): void
             $group = $this->prompt('Group', null, 'required');
         }
 
+        // Validate the group
+        if (! $this->validateGroup($group)) {
+            throw new CancelException('Invalid group: "' . $group . '"');
+        }
+
         $user = $this->findUser('Add user to group', $username, $email);
 
         $confirm = $this->prompt(
@@ -635,6 +640,11 @@ private function removegroup($group = null, $username = null, $email = null): vo
             $group = $this->prompt('Group', null, 'required');
         }
 
+        // Validate the group
+        if (! $this->validateGroup($group)) {
+            throw new CancelException('Invalid group: "' . $group . '"');
+        }
+
         $user = $this->findUser('Remove user from group', $username, $email);
 
         $confirm = $this->prompt(

diff --git a/tests/Commands/UserTest.php b/tests/Commands/UserTest.php
@@ -595,6 +595,24 @@ public function testAddgroup(): void
         $this->assertTrue($user->inGroup('admin'));
     }
 
+    public function testAddgroupWithInvalidGroup(): void
+    {
+        $this->createUser([
+            'username' => 'user10',
+            'email'    => 'user10@example.com',
+            'password' => 'secret123',
+        ]);
+
+        $this->setMockIo(['y']);
+
+        command('shield:user addgroup -n user10 -g invalid');
+
+        $this->assertStringContainsString(
+            'Invalid group: "invalid"',
+            $this->io->getLastOutput()
+        );
+    }
+
     public function testAddgroupCancel(): void
     {
         $this->createUser([
@@ -643,6 +661,32 @@ public function testRemovegroup(): void
         $this->assertFalse($user->inGroup('admin'));
     }
 
+    public function testRemovegroupWithInvalidGroup(): void
+    {
+        $this->createUser([
+            'username' => 'user11',
+            'email'    => 'user11@example.com',
+            'password' => 'secret123',
+        ]);
+        $users = model(UserModel::class);
+        $user  = $users->findByCredentials(['email' => 'user11@example.com']);
+        $user->addGroup('admin');
+        $this->assertTrue($user->inGroup('admin'));
+
+        $this->setMockIo(['y']);
+
+        command('shield:user removegroup -n user11 -g invalid');
+
+        $this->assertStringContainsString(
+            'Invalid group: "invalid"',
+            $this->io->getLastOutput()
+        );
+
+        $users = model(UserModel::class);
+        $user  = $users->findByCredentials(['email' => 'user11@example.com']);
+        $this->assertTrue($user->inGroup('admin'));
+    }
+
     public function testRemovegroupCancel(): void
     {
         $this->createUser([