From 352be569f969c9cd16032c911365882779c22ce4 Mon Sep 17 00:00:00 2001 From: Edwin Kempin Date: Fri, 9 Dec 2016 09:35:31 +0100 Subject: [PATCH] AccountManager: Check that ext ID belongs to account before delete When deleting a newly created account because setting the username has failed (and the realm doesn't allow editing the username) the external ID for the username must only be deleted if it belongs to the new account. Deleting external IDs is done by primary key and the primary key of the ACCOUNT_EXTERNAL_IDS table consists only of the external ID, hence we must check that the account ID matches before deleting the exernal ID. Otherwise we may remove an external ID that is used by another account. Change-Id: I8bba5e2780f74e24a30ea96f414c583c2d351577 Signed-off-by: Edwin Kempin --- .../java/com/google/gerrit/server/account/AccountManager.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountManager.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountManager.java index e32795f67b..b73d58d317 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountManager.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountManager.java @@ -351,7 +351,9 @@ public class AccountManager { // this is why the best we can do here is to fail early and cleanup // the database db.accounts().delete(Collections.singleton(account)); - db.accountExternalIds().delete(Collections.singleton(extId)); + if (account.getId().equals(extId.getAccountId())) { + db.accountExternalIds().delete(Collections.singleton(extId)); + } throw new AccountUserNameException(errorMessage, e); } }