fix: validate Disabled field in UpdateGroup handlers

Reject values other than "true" or "false" with InvalidInputException instead of silently treating them as false.
21 hours ago · a68e69826c
2 changed files with 6 additions and 0 deletions
--- a/weed/iamapi/iamapi_group_handlers.go
+++ b/weed/iamapi/iamapi_group_handlers.go
@ -56,6 +56,9 @@ func (iama *IamApiServer) UpdateGroup(s3cfg *iam_pb.S3ApiConfiguration, values u
 	for _, g := range s3cfg.Groups {
 		if g.Name == groupName {
 			if disabled := values.Get("Disabled"); disabled != "" {
+				if disabled != "true" && disabled != "false" {
+					return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("Disabled must be 'true' or 'false'")}
+				}
 				g.Disabled = disabled == "true"
 			}
 			if newName := values.Get("NewGroupName"); newName != "" && newName != g.Name {
--- a/weed/s3api/s3api_embedded_iam.go
+++ b/weed/s3api/s3api_embedded_iam.go
@ -1505,6 +1505,9 @@ func (e *EmbeddedIamApi) UpdateGroup(s3cfg *iam_pb.S3ApiConfiguration, values ur
 	for _, g := range s3cfg.Groups {
 		if g.Name == groupName {
 			if disabled := values.Get("Disabled"); disabled != "" {
+				if disabled != "true" && disabled != "false" {
+					return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("Disabled must be 'true' or 'false'")}
+				}
 				g.Disabled = disabled == "true"
 			}
 			if newName := values.Get("NewGroupName"); newName != "" && newName != g.Name {