Closed Bug 380928 Opened 17 years ago Closed 17 years ago

Bugzilla::Auth::Verify::create_or_update_user can return stale Bugzilla::User object

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Type:
task
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 3.0

People

(Reporter: vrb, Assigned: vrb)

Details

Attachments

(1 file, 2 obsolete files)

fix version 3
1.03 KB, patch
mkanat
: review+
Details | Diff | Splinter Review 
Near the end of Bugzilla::Auth::Verify::create_or_update_user, it instantiates a new Bugzilla::User object. After that, it conditionally updates the profiles table with a new login_name and/or realname. The problem is, the Bugzilla::User object still contains the old info from before the updates happened.
Attached patch fix version 1 (obsolete) — Splinter Review 

        Attachment #265044 -
        Flags: review?(mkanat)

    
    

    
  
Comment on attachment 265044 [details] [diff] [review]
fix version 1

This is fine for 3.0.

For the trunk, though, we need to change this code to use $user->set_ and $user->update().

Oh also, even in this patch, change it to use $user->id instead of $user_id for consistency.

        Attachment #265044 -
        Flags: review?(mkanat) → review+

    
  
Severity: normal → minor
Target Milestone: --- → Bugzilla 3.0

    
    

    
  
(In reply to comment #2)
> (From update of attachment 265044 [details] [diff] [review])
> This is fine for 3.0.
> 
> For the trunk, though, we need to change this code to use $user->set_ and
> $user->update().

Do you want me to submit a new patch for this? I don't have a test environment for trunk, and Verify.pm hasn't changed since 3.0....

> Oh also, even in this patch, change it to use $user->id instead of $user_id for
> consistency.

I can, but then it wouldn't be consistent with line 111. Either way is fine with me. :-)
    line 111: my $user = new Bugzilla::User($user_id);

    
    

    
  
(In reply to comment #3)
> Do you want me to submit a new patch for this? I don't have a test environment
> for trunk, and Verify.pm hasn't changed since 3.0....

  Yes, I'd like a new patch. Do you want a landfill account? I could get you one. There are nice tools on there for creating test environments.

> I can, but then it wouldn't be consistent with line 111. Either way is fine
> with me. :-)
>     line 111: my $user = new Bugzilla::User($user_id);

  Yes, but that's because $user->id doesn't exist before that. :-) It just saves anybody reading the code from having to check if $user_id and $user->id are the same.

    
    

    
  
(In reply to comment #4)
> (In reply to comment #3)
> > Do you want me to submit a new patch for this? I don't have a test environment
> > for trunk, and Verify.pm hasn't changed since 3.0....
> 
>   Yes, I'd like a new patch. Do you want a landfill account? I could get you
> one. There are nice tools on there for creating test environments.

Yes, please.
 
> > I can, but then it wouldn't be consistent with line 111. Either way is fine
> > with me. :-)
> >     line 111: my $user = new Bugzilla::User($user_id);
> 
>   Yes, but that's because $user->id doesn't exist before that. :-) It just
> saves anybody reading the code from having to check if $user_id and $user->id
> are the same.

Got it -- will do.


    
    

    
  
Comment on attachment 265044 [details] [diff] [review]
fix version 1

Will provide a better patch.

        Attachment #265044 -
        Attachment is obsolete: true

        Attachment #265044 -
        Flags: review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix version 2 (obsolete)
        — Splinter Review
      

    


  
This one uses set_login(), set_name(), and update().

        Attachment #265290 -
        Flags: review?(mkanat)

    
    

    
  
Comment on attachment 265290 [details] [diff] [review]
fix version 2

What happens if you call $user->update() outside of either block? It's actually designed to be a no-op if nothing has changed.

    
    

    
  
If nothing has changed, the DB overhead of $user->update() is this call only:

SELECT
    profiles.userid AS id,
    profiles.login_name,
    profiles.realname,
    profiles.mybugslink AS showmybugslink,
    profiles.disabledtext,
    profiles.disable_mail
    FROM profiles
    WHERE userid = ?

Shall I go ahead and move the update outside the blocks?

    
    

    
  
(In reply to comment #9)
> Shall I go ahead and move the update outside the blocks?

  Sure!

    
    

    
  
Comment on attachment 265290 [details] [diff] [review]
fix version 2

r- per the above.

        Attachment #265290 -
        Flags: review?(mkanat) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix version 3Splinter Review
      

    


  
Moved the update outside the blocks.

        Attachment #265290 -
        Attachment is obsolete: true

        Attachment #265518 -
        Flags: review?(mkanat)

    
    

    
  
Comment on attachment 265518 [details] [diff] [review]
fix version 3

Looks good to me! :-)

        Attachment #265518 -
        Flags: review?(mkanat) → review+

    
  
Flags: approval3.0+
Flags: approval+

    
    

    
  
    Checking in Bugzilla/Auth/Verify.pm;
    /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Verify.pm,v  <--  Verify.pm
    new revision: 1.7; previous revision: 1.6
    done
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: