Merge pull request #1487 from bcgov/feature/securityFix

Small security fix for adding student.
bcgov · Apr 19, 2024 · d1f9a0d · d1f9a0d
2 parents f380990 + 36a6fed
commit d1f9a0d
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/backend/src/components/permissionUtils.js b/backend/src/components/permissionUtils.js
@@ -328,6 +328,9 @@ function findSInstituteTypeCollectionID_body(req, res, next) {
 }
 
 function checkStudentBelongsInCollection(req, res, next) {
+  if (!res.locals.requestedSdcSchoolCollectionStudentID) {
+    return next();
+  }
   if(res.locals.requestedInstituteType === 'DISTRICT') {
     return checkIfStudentBelongsInDistrictCollection(req, res, next);
   } else {

diff --git a/frontend/src/components/admin/InviteUserPage.vue b/frontend/src/components/admin/InviteUserPage.vue
@@ -233,7 +233,7 @@ export default {
     emailRules() {
       return [
         v => !!v || this.emailHint,
-        v => /^[\w!#$%&’*+/=?`{|}~^-]+(?:\.[\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$/.test(v) || this.emailHint,
+        v => /^[\w!#$%&’*+/=?`{|}~^-]+(?:\.[\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,63}$/.test(v) || this.emailHint,
       ];
     }
   },

diff --git a/frontend/src/utils/institute/formRules.js b/frontend/src/utils/institute/formRules.js
@@ -20,7 +20,7 @@ import {LocalDate} from '@js-joda/core';
  * @returns Function
  */
 const email = (message = 'E-mail must be valid') => {
-  return v => !v || /^(?=[A-Za-z0-9][A-Za-z0-9@._%+-]{5,253}$)[A-Za-z0-9._%+-]{1,64}@(?:(?=[A-Za-z0-9-]{1,63}\.)[A-Za-z0-9]+(?:-[A-Za-z0-9]+)*\.){1,8}[A-Za-z]{2,63}$/.test(v) || message;
+  return v => !v || /^[\w!#$%&’*+/=?`{|}~^-]+(?:\.[\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,63}$/.test(v) || message;
 };
 
 /**