Potential LTI duplicating accounts with parent auth
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Robert Lyon | ||
20.10 |
Fix Released
|
High
|
Unassigned | ||
21.04 |
Fix Released
|
High
|
Unassigned | ||
21.10 |
Fix Released
|
High
|
Unassigned | ||
22.04 |
Fix Released
|
High
|
Robert Lyon |
Bug Description
There is a problem in module_
If a person does not exist they are created via create_user() function and this function will check if the auth method they are created with needs a remote username and if so adds a row to the "auth_remote_user" table too.
Then module_
So we end up with 2 rows
But the problem is when we have a parent auth (SAML) as the parent we pass in the parent authinstance id to be the one saved in "usr" table.
So we end up with both the rows being connected to the parent auth because we pass in the parent authinstance id when creating the person.
When we then login again via LTI it finds the person by email and updates the "auth_remote_user" table but this time adds the row correctly with the LTI authinstance id.
So we end up with 3 rows - but we should only have two.
what we should do is if the LTI auth instance has a parent auth and that parent auth allows adding to remote table add that one first, via create_user(), then add the one for LTI
https:/ /reviews. mahara. org/#/c/ 12002/