Multiple methods in UsersEntity.java
incorrectly handle user ID parameters when constructing API URLs. This causes failures when user IDs contain forward slashes or other special characters that require URL encoding.
Affected Methods
-
listPermissions(String userId, PageFilter filter)
- usesaddPathSegments(userId)
-
removePermissions(String userId, List<Permission> permissions)
- usesaddPathSegments(userId)
-
addPermissions(String userId, List<Permission> permissions)
- usesaddPathSegments(userId)
-
listRoles(String userId, PageFilter filter)
- usesaddPathSegments(userId)
-
removeRoles(String userId, List<String> roleIds)
- usesaddPathSegments(userId)
-
addRoles(String userId, List<String> roleIds)
- usesaddPathSegments(userId)
-
deleteAllAuthenticators(String userId)
- usesString.format("api/v2/users/%s/authenticators", userId)
Technical Details
Two distinct URL construction issues are present:
-
Methods 1-6: Use
addPathSegments()
which treats the input as pre-separated path segments and does not encode forward slashes, when they should useaddPathSegment()
which properly encodes special characters. -
Method 7: Uses
String.format("api/v2/users/%s/authenticators", userId)
insidewithPathSegments()
, which provides no URL encoding and then treats the result as multiple segments.
Code Example
From deleteAllAuthenticators
:
return voidRequest(HttpMethod.DELETE, RequestBuilder<Void> builder ->
builder.withPathSegments(String.format("api/v2/users/%s/authenticators", userId)));
This should be:
return voidRequest(HttpMethod.DELETE, RequestBuilder<Void> builder ->
builder.addPathSegments("api/v2/users")
.addPathSegment(userId)
.addPathSegment("authenticators"));
Example Failure
For a user ID like google-oauth2|123456/789
:
-
Current implementation produces:
/api/v2/users/google-oauth2%7C123456/789/roles
-
Correct encoding should be:
/api/v2/users/google-oauth2%7C123456%2F789/roles
Proposed Solution
-
For methods 1-6: Replace
addPathSegments(userId)
withaddPathSegment(userId)
-
For method 7: Replace the
String.format()
approach with proper URL builder methods usingaddPathSegment(userId)
This change would align these methods with others in the same class that correctly handle user IDs, such as get()
, delete()
, update()
, etc.