Improve user management

README.md

@@ -13,13 +13,9 @@ All you need to provide is PostgreSQL, Microsoft SQL Server or any MySQL variant
 
 ## Latest Release
 
-[Community Edition: v3.8.1](https://github.com/documize/community/releases)
+[Community Edition: v3.8.2](https://github.com/documize/community/releases)
 
-[Enterprise Edition: v3.8.1](https://www.documize.com/downloads)
+[Enterprise Edition: v3.8.2](https://www.documize.com/downloads)
-
-> *We provide frequent product updates for both cloud and self-hosted customers.*
->
-> **Harvey Kandola, CEO/Founder @ Documize**
 
 ## OS Support
 
@@ -50,7 +46,7 @@ For all database types, Full-Text Search support (FTS) is mandatory.
 
 ## Technology Stack
 
-- Go (v1.14.3)
+- Go (v1.15.5)
 - Ember JS (v3.12.0)
 
 ## Authentication Options

core/stringutil/sanitize.go

@@ -0,0 +1,50 @@
+// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
+//
+// This software (Documize Community Edition) is licensed under
+// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
+//
+// You can operate outside the AGPL restrictions by purchasing
+// Documize Enterprise Edition and obtaining a commercial license
+// by contacting <sales@documize.com>.
+//
+// https://documize.com
+
+package stringutil
+
+import (
+	"strings"
+)
+
+// CleanDBValue returns like query minus dodgy characters.
+func CleanDBValue(filter string) string {
+	filter = strings.ReplaceAll(filter, " ", "")
+	filter = strings.ReplaceAll(filter, " ' ", "")
+	filter = strings.ReplaceAll(filter, "'", "")
+	filter = strings.ReplaceAll(filter, " ` ", "")
+	filter = strings.ReplaceAll(filter, "`", "")
+	filter = strings.ReplaceAll(filter, " \" ", "")
+	filter = strings.ReplaceAll(filter, "\"", "")
+	filter = strings.ReplaceAll(filter, " -- ", "")
+	filter = strings.ReplaceAll(filter, "--", "")
+	filter = strings.ReplaceAll(filter, ";", "")
+	filter = strings.ReplaceAll(filter, ":", "")
+	filter = strings.ReplaceAll(filter, "~", "")
+	filter = strings.ReplaceAll(filter, "!", "")
+	filter = strings.ReplaceAll(filter, "#", "")
+	filter = strings.ReplaceAll(filter, "%", "")
+	filter = strings.ReplaceAll(filter, "*", "")
+	filter = strings.ReplaceAll(filter, "\\", "")
+	filter = strings.ReplaceAll(filter, "/", "")
+	filter = strings.ReplaceAll(filter, "union select", "")
+	filter = strings.ReplaceAll(filter, "UNION SELECT", "")
+	filter = strings.ReplaceAll(filter, " from ", "")
+	filter = strings.ReplaceAll(filter, " FROM ", "")
+	filter = strings.ReplaceAll(filter, " OR 1=1 ", "")
+	filter = strings.ReplaceAll(filter, " OR 1=1 ", "")
+	filter = strings.ReplaceAll(filter, " = ", "")
+	filter = strings.ReplaceAll(filter, "=", "")
+
+	filter = strings.TrimSpace(filter)
+
+	return filter
+}

domain/user/store.go

@@ -19,6 +19,7 @@ import (
 	"time"
 
 	"github.com/documize/community/core/env"
+	"github.com/documize/community/core/stringutil"
 	"github.com/documize/community/domain"
 	"github.com/documize/community/domain/store"
 	"github.com/documize/community/model/user"
@@ -168,50 +169,6 @@ func (s Store) GetActiveUsersForOrganization(ctx domain.RequestContext) (u []use
 	return
 }
 
-// GetUsersForOrganization returns a slice containing all of the user records for the organizaiton
-// identified in the context.
-func (s Store) GetUsersForOrganization(ctx domain.RequestContext, filter string, limit int) (u []user.User, err error) {
-	u = []user.User{}
-
-	filter = strings.TrimSpace(strings.ToLower(filter))
-	likeQuery := ""
-	if len(filter) > 0 {
-		likeQuery = " AND (LOWER(u.c_firstname) LIKE '%" + filter + "%' OR LOWER(u.c_lastname) LIKE '%" + filter + "%' OR LOWER(u.c_email) LIKE '%" + filter + "%') "
-	}
-
-	if s.Runtime.StoreProvider.Type() == env.StoreTypeSQLServer {
-		err = s.Runtime.Db.Select(&u, s.Bind(`SELECT TOP(`+strconv.Itoa(limit)+`) u.id, u.c_refid AS refid,
-        u.c_firstname AS firstname, u.c_lastname AS lastname, u.c_email AS email,
-        u.c_initials AS initials, u.c_globaladmin AS globaladmin,
-        u.c_password AS password, u.c_salt AS salt, u.c_reset AS reset, u.c_lastversion AS lastversion,
-        u.c_created AS created, u.c_revised AS revised,
-        a.c_active AS active, a.c_editor AS editor, a.c_admin AS admin, a.c_users AS viewusers, a.c_analytics AS analytics
-        FROM dmz_user u, dmz_user_account a
-        WHERE u.c_refid=a.c_userid AND a.c_orgid=? `+likeQuery+
-			`ORDER BY u.c_firstname, u.c_lastname`), ctx.OrgID)
-	} else {
-		err = s.Runtime.Db.Select(&u, s.Bind(`SELECT u.id, u.c_refid AS refid,
-        u.c_firstname AS firstname, u.c_lastname AS lastname, u.c_email AS email,
-        u.c_initials AS initials, u.c_globaladmin AS globaladmin,
-        u.c_password AS password, u.c_salt AS salt, u.c_reset AS reset, u.c_lastversion AS lastversion,
-        u.c_created AS created, u.c_revised AS revised,
-        a.c_active AS active, a.c_editor AS editor, a.c_admin AS admin, a.c_users AS viewusers, a.c_analytics AS analytics
-        FROM dmz_user u, dmz_user_account a
-        WHERE u.c_refid=a.c_userid AND a.c_orgid=? `+likeQuery+
-			`ORDER BY u.c_firstname, u.c_lastname LIMIT `+strconv.Itoa(limit)), ctx.OrgID)
-	}
-
-	if err == sql.ErrNoRows {
-		err = nil
-	}
-
-	if err != nil {
-		err = errors.Wrap(err, fmt.Sprintf(" get users for org %s", ctx.OrgID))
-	}
-
-	return
-}
-
 // GetSpaceUsers returns a slice containing all user records for given space.
 func (s Store) GetSpaceUsers(ctx domain.RequestContext, spaceID string) (u []user.User, err error) {
 	u = []user.User{}
@@ -339,11 +296,58 @@ func (s Store) CountActiveUsers() (c []domain.SubscriptionUserAccount) {
 	return
 }
 
+// GetUsersForOrganization returns a slice containing all of the user records for the organizaiton
+// identified in the context.
+func (s Store) GetUsersForOrganization(ctx domain.RequestContext, filter string, limit int) (u []user.User, err error) {
+	u = []user.User{}
+
+	filter = strings.TrimSpace(strings.ToLower(filter))
+	filter = stringutil.CleanDBValue(filter)
+
+	likeQuery := ""
+	if len(filter) > 0 {
+		likeQuery = " AND (LOWER(u.c_firstname) LIKE '%" + filter + "%' OR LOWER(u.c_lastname) LIKE '%" + filter + "%' OR LOWER(u.c_email) LIKE '%" + filter + "%') "
+	}
+
+	if s.Runtime.StoreProvider.Type() == env.StoreTypeSQLServer {
+		err = s.Runtime.Db.Select(&u, s.Bind(`SELECT TOP(`+strconv.Itoa(limit)+`) u.id, u.c_refid AS refid,
+        u.c_firstname AS firstname, u.c_lastname AS lastname, u.c_email AS email,
+        u.c_initials AS initials, u.c_globaladmin AS globaladmin,
+        u.c_password AS password, u.c_salt AS salt, u.c_reset AS reset, u.c_lastversion AS lastversion,
+        u.c_created AS created, u.c_revised AS revised,
+        a.c_active AS active, a.c_editor AS editor, a.c_admin AS admin, a.c_users AS viewusers, a.c_analytics AS analytics
+        FROM dmz_user u, dmz_user_account a
+        WHERE u.c_refid=a.c_userid AND a.c_orgid=? `+likeQuery+
+			`ORDER BY u.c_firstname, u.c_lastname`), ctx.OrgID)
+	} else {
+		err = s.Runtime.Db.Select(&u, s.Bind(`SELECT u.id, u.c_refid AS refid,
+        u.c_firstname AS firstname, u.c_lastname AS lastname, u.c_email AS email,
+        u.c_initials AS initials, u.c_globaladmin AS globaladmin,
+        u.c_password AS password, u.c_salt AS salt, u.c_reset AS reset, u.c_lastversion AS lastversion,
+        u.c_created AS created, u.c_revised AS revised,
+        a.c_active AS active, a.c_editor AS editor, a.c_admin AS admin, a.c_users AS viewusers, a.c_analytics AS analytics
+        FROM dmz_user u, dmz_user_account a
+        WHERE u.c_refid=a.c_userid AND a.c_orgid=? `+likeQuery+
+			`ORDER BY u.c_firstname, u.c_lastname LIMIT `+strconv.Itoa(limit)), ctx.OrgID)
+	}
+
+	if err == sql.ErrNoRows {
+		err = nil
+	}
+
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf(" get users for org %s", ctx.OrgID))
+	}
+
+	return
+}
+
 // MatchUsers returns users that have match to either firstname, lastname or email.
 func (s Store) MatchUsers(ctx domain.RequestContext, text string, maxMatches int) (u []user.User, err error) {
 	u = []user.User{}
 
 	text = strings.TrimSpace(strings.ToLower(text))
+	text = stringutil.CleanDBValue(text)
 	likeQuery := ""
 	if len(text) > 0 {
 		likeQuery = " AND (LOWER(c_firstname) LIKE '%" + text + "%' OR LOWER(c_lastname) LIKE '%" + text + "%' OR LOWER(c_email) LIKE '%" + text + "%') "

edition/community.go

@@ -41,8 +41,8 @@ func main() {
 	rt.Product = domain.Product{}
 	rt.Product.Major = "3"
 	rt.Product.Minor = "8"
-	rt.Product.Patch = "1"
+	rt.Product.Patch = "2"
-	rt.Product.Revision = "201109100417"
+	rt.Product.Revision = "201129194821"
 	rt.Product.Version = fmt.Sprintf("%s.%s.%s", rt.Product.Major, rt.Product.Minor, rt.Product.Patch)
 	rt.Product.Edition = domain.CommunityEdition
 	rt.Product.Title = fmt.Sprintf("%s Edition", rt.Product.Edition)

gui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "documize",
-  "version": "3.8.1",
+  "version": "3.8.2",
   "description": "Documize is the Integrated Document Environment (IDE)",
   "repository": "",
   "license": "AGPL",