User data in dashboard is updated from data contained in macaroons
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snap Store Server |
Fix Released
|
High
|
Unassigned |
Bug Description
The logic in dashboard which updates user data (full name, email address) triggers when e.g. a Launchpad build is initiated, and potentially during other sign-in operations, and updates that data from what is contained in the dashboard macaroon at the time it was minted.
This presents a problem if:
1- user issues a macaroon containing name X and configures an automated build with hit.
2- User then changes their name to Y, in Ubuntu SSO and dashboard.
3- An automated build with macaroon #1 is fired. Dashboard will overwrite the name changes from #2 with outdated information from #1.
A real-world case of this was reported and diagnosed here: https:/
I believe the offending code in dashboard is the _update_
2022-11-15 16:22:17.431Z INFO devportal.
To contrast, when the user logged in manually (which properly fetches fresh information from SSO directly), the source of the update is different:
2022-11-15 12:05:09.280Z INFO devportal.
SN-1112
Changed in snapstore-server: | |
status: | New → Confirmed |
importance: | Undecided → High |
description: | updated |
description: | updated |
Changed in snapstore-server: | |
status: | Confirmed → Fix Released |
Build that purportedly triggered the change:
https:/ /launchpad. net/~build. snapcraft. io/+snap/ 1237d1dc13b271f 9bc303be005e7b3 e6/+build/ 1941821
The build started at 16:05 and took 14 minutes, finishing at 16:19, which is slightly earlier than the 16:22 timestamp of the update as seen above - but that might be a publishing delay or something.