(vcl) 01/07: blockallocations.php: modified processBlockAllocationInput: reworked flow of validation of owner of submitted block allocation

[jfthomps]

This is an automated email from the ASF dual-hosted git repository.

jfthomps pushed a commit to branch vcl-2.5.1-bugfixes
in repository https://gitbox.apache.org/repos/asf/vcl.git

commit 408c587aab05b19391e8a41fb0b1174f1cf9b043
Author: Josh Thompson <jftho...@ncsu.edu>
AuthorDate: Mon Mar 10 12:42:37 2025 -0400

    blockallocations.php: modified processBlockAllocationInput: reworked flow 
of validation of owner of submitted block allocation
    
    privileges.php: modified userLookup: modified regular expression to 
validate submitted userid
---
 web/.ht-inc/blockallocations.php | 16 +++++++++++-----
 web/.ht-inc/privileges.php       |  9 +++++++++
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/web/.ht-inc/blockallocations.php b/web/.ht-inc/blockallocations.php
index ed0fffa4..756ea454 100644
--- a/web/.ht-inc/blockallocations.php
+++ b/web/.ht-inc/blockallocations.php
@@ -3086,12 +3086,18 @@ function processBlockAllocationInput() {
                $errmsg = i("The submitted image is invalid.");
                $err = 1;
        }
-       if(! $err && $method != 'request' && ! 
validateUserid($return['owner'])) {
-               $errmsg = i("The submitted owner is invalid.");
-               $err = 1;
+       if(! $err) {
+               if($method == 'new' || $method == 'edit') {
+                       if(! validateUserid($return['owner'])) {
+                               $errmsg = i("The submitted owner is invalid.");
+                               $err = 1;
+                       }
+                       else
+                               $return['ownerid'] = 
getUserlistID($return['owner']);
+               }
+               else
+                       $return['owner'] = '';
        }
-       else
-               $return['ownerid'] = getUserlistID($return['owner']);
        $groups = getUserGroups(0, $user['affiliationid']);
        $extragroups = getContinuationVar('extragroups');
        if(! $err && ! array_key_exists($return['groupid'], $groups) &&
diff --git a/web/.ht-inc/privileges.php b/web/.ht-inc/privileges.php
index 714b910d..878c9b46 100644
--- a/web/.ht-inc/privileges.php
+++ b/web/.ht-inc/privileges.php
@@ -1464,6 +1464,11 @@ function AJrevertMoveNode() {
 function userLookup() {
        global $user;
        $userid = processInputVar("userid", ARG_STRING);
+       $showerror = 0;
+       if(! preg_match('/^[-a-zA-Z0-9@_ \'\+\.,]{0,100}$/', $userid)) {
+               $userid = '';
+               $showerror = 1;
+       }
        if(get_magic_quotes_gpc())
                $userid = stripslashes($userid);
        $affilid = processInputVar('affiliationid', ARG_NUMERIC, 
$user['affiliationid']);
@@ -1496,6 +1501,10 @@ function userLookup() {
        $cont = addContinuationsEntry('submitUserLookup');
        print "<INPUT type=hidden name=continuation value=\"$cont\">\n";
        print "</FORM><br>\n";
+       if($showerror) {
+               print "<font color=red>User not found</font><br>\n";
+               return;
+       }
        if(! empty($userid)) {
                $esc_userid = vcl_mysql_escape_string($userid);
                if(preg_match('/,/', $userid)) {