712092 - Delete profile doesn't remove data from MySQL

Status: VERIFIED INVALID

(Participation Infrastructure :: Phonebook, defect)

Description

[Austin King [:ozten]]

In trying to troubleshoot why I can't create un-vouched users, I noticed the following:

Steps to repro:
1) Create user A
2) Click Edit then Delete my Account
3) Confirm
4) Using mysql client do

    select * from auth_user WHERE email = 'user A email address';

Expected:
No results

Actual: User data still in MySQL

Comment 1

[Austin King [:ozten]]

Doh, looks like i can't test with any of my accounts as when I re-create them they get deteccted in the system as vouched.

Example:
I see user A in auth_user as well as the profile table. In profile, their is_vouched is set to 1. 

Some webcode uses MySQL to decide if the user is vouched or not (instead of LDAP). 

Example states in the app:

User A is treated as vouched
* viewing/editing profile

User A is treated as not vouched
* executing search (ACL enforced as un-vouched)
* when filtering search results for un-vouched only results

In addition to being inconsistent, we should fix this as it's a email recycling security issue.

Comment 2

[tofumatt [:tofumatt]]

This will be less of a security issue with BrowserID but it's still naughty. Marking confidential, for whatever difference it makes.

Comment 3

[Aakash Desai [:aakashd]]

This is not happening anymore after completely moving to SQL.

Comment 4

[Matt Brandt [:mbrandt]]

Bumping to QA verified per comment 9 and the passage of time