Possible to merge a user with itself

Bug #1786534 reported by Jason Stephenson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Fix Released
Medium
Unassigned
3.0
Fix Released
Medium
Unassigned
3.1
Fix Released
Medium
Unassigned

Bug Description

Evergreeen: 3.0, 3.1, Master
OpenSRF: N/A
Postgres: N/A

It is possible to merge a user with itself using the actor.usr_merge database function. The result of doing this is a user with the deleted field set to true and the card field set to null. Depending on the other options given, the patron's addresses, and other cards may also be deleted. This is probably not what you want.

Furthermore, I have evidence from our logs on Evergreen 3.0 that is somehow possible to do this from the web staff client:

2018-07-23 13:23:53 bd1-bh5 open-ils.cstore: [INFO:6883:osrf_application.c:1075:153236375025316451] CALL: open-ils.cstore open-ils.cstore.json_query.atomic {"from":["actor.usr_merge",533652,533652,"t","f","t"]}

The result of the above was a patron set to deleted, the card field set to null, the patron's addresses deleted, and all the corresponding actor.card entries to active false.

A very simple fix would be to add a check at the top of the actor.usr_merge database function to bail if the src_user and dest_usr are the same. I have already tested such a fix on the above user and it works. I will post a branch shortly.

Changed in evergreen:
milestone: none → 3.2-beta
Revision history for this message
Jason Stephenson (jstephenson) wrote :

Git branch that fixes it for me is here:

working/user/dyrcona/lp1786534-usr_merge-bail-on-same-user

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/dyrcona/lp1786534-usr_merge-bail-on-same-user

tags: added: pullrequest
Changed in evergreen:
milestone: 3.2-beta → 3.2-rc
Michele Morgan (mmorgan)
Changed in evergreen:
assignee: nobody → Michele Morgan (mmorgan)
Revision history for this message
Michele Morgan (mmorgan) wrote :

I was not able to discover how this is happening via the web client, but I tested this fix using srfsh calls. Without the fix, the following srfsh command results in a patron record with NULL card and deleted = true as Jason describes.

srfsh# request open-ils.cstore open-ils.cstore.json_query.atomic {"from":["actor.usr_merge",2261502,2261502,"f","f","f"]}

After applying the fix, and attempting the srfsh command with a different usr id, the usr record is unedited. My signoff branch is at:

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/mmorgan/lp1786534_no_merging_user_with_itself_signoff

tags: added: signedoff
Changed in evergreen:
assignee: Michele Morgan (mmorgan) → nobody
Galen Charlton (gmc)
Changed in evergreen:
importance: Undecided → Medium
status: New → Won't Fix
status: Won't Fix → Confirmed
assignee: nobody → Galen Charlton (gmc)
Revision history for this message
Galen Charlton (gmc) wrote :

Pushed to master, rel_3_1, and rel_3_0, along with some patches to keep actor.usr_merge() correctly up to date in rel_3_{0,1} and 3.2. Thanks, Jason and Michele!

Changed in evergreen:
assignee: Galen Charlton (gmc) → nobody
status: Confirmed → Fix Committed
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.