Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Field Validation Not Enforced in Users-Permissions Plugin #22196

Open
armespavong opened this issue Nov 18, 2024 · 0 comments
Open

Custom Field Validation Not Enforced in Users-Permissions Plugin #22196

armespavong opened this issue Nov 18, 2024 · 0 comments
Labels
issue: bug Issue reporting a bug severity: medium If it breaks the basic use of the product but can be worked around source: plugin:users-permissions Source is plugin/users-permissions package status: pending reproduction Waiting for free time to reproduce the issue, or more information version: 5

Comments

@armespavong
Copy link

Bug report

Required System information

  • Node.js version: v20.14.0
  • NPM version: 10.7.0
  • Strapi version: 5.4.0
  • Database: mysql
  • Operating system: darwin-arm64
  • Is your project Javascript or Typescript: Typescript

Describe the bug

The issue occurs in the users-permissions plugin/extension.
I have added a custom field to the user model and configured it as both required and unique. However, when I make a POST request to create or register a user:

  • If the custom field is missing from the request body, the request is still processed successfully.
  • If the custom field value duplicates an existing value in the database, the request is also allowed, violating the unique constraint.

Steps to reproduce the behavior

  1. Go to the users-permissions plugin and add a custom field to the user model.
  2. Set the field to be required and unique in the content-type settings.
  3. Use a POST request to register a new user via the /auth/local/register endpoint.
    • Test with the custom field unset.
    • Test with a duplicate value for the custom field.
  4. Observe the request results.

Expected behavior

  • If the custom field is missing from the request body, the API should return a validation error.
  • If the custom field value duplicates an existing value in the database, the API should reject the request with a unique constraint violation error.

Screenshots

Screenshot Capture - 2024-11-18 - 22-32-28
Screenshot Capture - 2024-11-18 - 22-23-29
Screenshot 2567-11-18 at 22 25 54

Code snippets

POST /auth/local/register

Duplicate Value

{ "username": "testuser", "email": "[email protected]", "password": "password123", "customField": {{duplicate value}} }

Missing Value

{ "username": "testuser", "email": "[email protected]", "password": "password123" }

Additional context

This issue directly affects data integrity as the constraints set on the custom field (required and unique) are not being enforced.
@derrickmehaffy derrickmehaffy added issue: bug Issue reporting a bug severity: medium If it breaks the basic use of the product but can be worked around source: plugin:users-permissions Source is plugin/users-permissions package status: pending reproduction Waiting for free time to reproduce the issue, or more information version: 5 labels Nov 20, 2024
@github-project-automation github-project-automation bot moved this to To be reviewed (Open) in Developer Experience Squad Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug Issue reporting a bug severity: medium If it breaks the basic use of the product but can be worked around source: plugin:users-permissions Source is plugin/users-permissions package status: pending reproduction Waiting for free time to reproduce the issue, or more information version: 5
Projects
Developer Experience Squad
Status: To be reviewed (Open)
Strapi 5 - Bug Tracker
Status: To triage
Milestone
No milestone
Development

No branches or pull requests
2 participants
@armespavong @derrickmehaffy