From d08623f53d7b94b0a22b9744783c93c28da25f84 Mon Sep 17 00:00:00 2001
From: jkoberg <jkoberg@owncloud.com>
Date: Thu, 21 Oct 2021 15:26:08 +0200
Subject: [PATCH] forbid empty password on user creation

---
 changelog/unreleased/empty-password-user.md               | 5 +++++
 ocs/pkg/service/v0/users.go                               | 5 +++++
 tests/acceptance/expected-failures-API-on-OCIS-storage.md | 3 ---
 3 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 changelog/unreleased/empty-password-user.md

diff --git a/changelog/unreleased/empty-password-user.md b/changelog/unreleased/empty-password-user.md
new file mode 100644
index 00000000000..4ffd4ba8413
--- /dev/null
+++ b/changelog/unreleased/empty-password-user.md
@@ -0,0 +1,5 @@
+Bugfix: Don't allow empty password
+
+It was allowed to create users with empty or spaces-only password. This is fixed
+
+https://github.com/owncloud/product/issues/197
diff --git a/ocs/pkg/service/v0/users.go b/ocs/pkg/service/v0/users.go
index 1445ab1d54d..89cf53eb438 100644
--- a/ocs/pkg/service/v0/users.go
+++ b/ocs/pkg/service/v0/users.go
@@ -179,6 +179,11 @@ func (o Ocs) AddUser(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
+	if strings.TrimSpace(password) == "" {
+		mustNotFail(render.Render(w, r, response.ErrRender(data.MetaBadRequest.StatusCode, "empty password not allowed")))
+		o.logger.Error().Err(err).Str("userid", userid).Msg("empty password not allowed")
+		return
+	}
 
 	// fallbacks
 	/* TODO decide if we want to make these fallbacks. Keep in mind:
diff --git a/tests/acceptance/expected-failures-API-on-OCIS-storage.md b/tests/acceptance/expected-failures-API-on-OCIS-storage.md
index 9ee64f2f0b3..ccc62dd94c2 100644
--- a/tests/acceptance/expected-failures-API-on-OCIS-storage.md
+++ b/tests/acceptance/expected-failures-API-on-OCIS-storage.md
@@ -916,9 +916,6 @@ special character username not valid
 -   [apiProvisioning-v2/addUser.feature:40](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L40)
 -   [apiProvisioning-v2/addUser.feature:47](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L47)
 
-#### [Password can be set to empty](https://github.com/owncloud/product/issues/197)
--   [apiProvisioning-v2/addUser.feature:83](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L83)
-
 #### [Username is case sensitive](https://github.com/owncloud/ocis-accounts/issues/128)
 -   [apiProvisioning-v2/addUser.feature:116](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L116)