Person merge must delete/hide the merged account

Bug #575317 reported by Curtis Hovey on 2010-05-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Curtis Hovey

Bug Description

Recent changes to SSO require Launchpad to delete the accounts of merged users. This implies the email addresses must also be reconciled.

Note that there may be something else wrong with merge because all email addresses used to authenticate should have been transferred to remaining account and person.

Salgado recommends removing the LP account table

> <salgado> I have two LP accounts, a1 (with openid identifier 'a1') and a2 (with
> openid identifier 'a2')
> <salgado> a1 has <email address hidden> as its email address
> <salgado> and a2 has <email address hidden>
> <salgado> now, let's say I merge account a2 into account a1
> <salgado> that will move <email address hidden> to a1, but won't actually delete the a1
> account
> <salgado> also, on the SSO DB, the <email address hidden> email is still associated with
> the a2 account
> <salgado> because the account merge is a LP thing
> <salgado> if I now log into LP using <email address hidden>, the SSO will send a2 as the
> OpenID identifier to LP
> <salgado> but that identifier is associated with a merged account
> <mars> right, a2-merged
> <salgado> which has no preferred email address
> <salgado> so the callback page OOPSes
> <salgado> we wouldn't have this sort of problem if we've gotten rid of the
> Account table from our DB
> <mars> salgado, so the correct behaviour would be to log in with <email address hidden>,
> and then I appear as using account a1?
> <mars> but it incorrectly shows up as using account a2-merged
> <salgado> but in the mean time we could change the person merge code to delete
> the Account entry for the merged person
> <salgado> mars, correct
> <salgado> if we do as I say above, it will work as expected
> <mars> how will that fix "if I now log into LP using <email address hidden>, the SSO
> will send a2 as the OpenID identifier to LP" ?
> <salgado> it won't
> <salgado> it will still send a2
> <mars> and then?
> <salgado> but since that identifier is not in our DB, we'll fall back to look up
> the account which is associated with <email address hidden>
> <mars> oh
> <salgado> let me confirm
> <mars> ok
> <mars> salgado, is deleting the merged account a problem? Why have we not done
> this in the past?
> <salgado> mars, confirmed. we do that and then set the OpenID identifier of the
> a1 account to 'a2'
> <salgado> mars, because we don't delete anything when merging people
> <mars> salgado, in the mean time can we run a SQL query to delete the account,
> see if it works as expected?
> <salgado> mars, sure, just ask the LOSAs to delete the merged account
> <mars> salgado, should they save the data just in case it doesn't work?
> <mars> if such a thing is even possible...
> <salgado> they could write down the data before deleting, but there's nothing
> useful in the account entry of a merged person anyway

Related branches

Curtis Hovey (sinzui) wrote :

We cannot delete the account, but we can change the Account.openid_identifier to not match any identifier sent from SSO.

summary: - Person merge must delete merged account
+ Person merge must delete/hide the merged account
Changed in launchpad-registry:
status: Triaged → In Progress
assignee: nobody → Curtis Hovey (sinzui)
Changed in launchpad-registry:
status: In Progress → Fix Committed
tags: added: qa-needstesting
Curtis Hovey (sinzui) on 2010-05-13
tags: added: qa-ok
removed: qa-needstesting
Curtis Hovey (sinzui) on 2010-06-02
Changed in launchpad-registry:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers