Url decode role names.

5 years ago · 8c55c0c30d
3 changed files with 31 additions and 1 deletions
--- a/backend/src/Squidex.Web/UrlDecodeRouteParamsAttribute.cs
+++ b/backend/src/Squidex.Web/UrlDecodeRouteParamsAttribute.cs
@ -0,0 +1,27 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System.Linq;
+using System.Web;
+using Microsoft.AspNetCore.Mvc.Filters;
+
+namespace Squidex.Web
+{
+    public class UrlDecodeRouteParamsAttribute : ActionFilterAttribute
+    {
+        public override void OnActionExecuting(ActionExecutingContext context)
+        {
+            foreach (var (key, value) in context.ActionArguments.ToList())
+            {
+                if (value is string text)
+                {
+                    context.ActionArguments[key] = HttpUtility.UrlDecode(text);
+                }
+            }
+        }
+    }
+}
--- a/backend/src/Squidex/Areas/Api/Controllers/Apps/AppRolesController.cs
+++ b/backend/src/Squidex/Areas/Api/Controllers/Apps/AppRolesController.cs
@ -123,6 +123,7 @@ namespace Squidex.Areas.Api.Controllers.Apps
        [ProducesResponseType(typeof(RolesDto), StatusCodes.Status200OK)]
        [ApiPermissionOrAnonymous(Permissions.AppRolesUpdate)]
        [ApiCosts(1)]
+        [UrlDecodeRouteParams]
        public async Task<IActionResult> PutRole(string app, string roleName, [FromBody] UpdateRoleDto request)
        {
            var command = request.ToCommand(roleName);
@ -147,6 +148,7 @@ namespace Squidex.Areas.Api.Controllers.Apps
        [ProducesResponseType(typeof(RolesDto), StatusCodes.Status200OK)]
        [ApiPermissionOrAnonymous(Permissions.AppRolesDelete)]
        [ApiCosts(1)]
+        [UrlDecodeRouteParams]
        public async Task<IActionResult> DeleteRole(string app, string roleName)
        {
            var command = new DeleteRole { Name = roleName };
--- a/backend/tools/TestSuite/TestSuite.ApiTests/AppTests.cs
+++ b/backend/tools/TestSuite/TestSuite.ApiTests/AppTests.cs
@ -185,7 +185,8 @@ namespace TestSuite.ApiTests
        [Fact]
        public async Task Should_manage_roles()
        {
-            var roleName = Guid.NewGuid().ToString();
+            // Use role name with hash to test previous bug.
+            var roleName = $"{Guid.NewGuid()}/1";
            var roleClient = Guid.NewGuid().ToString();
            var roleContributor1 = "role1@squidex.io";
            var roleContributor2 = "role2@squidex.io";