AccountManager: Check that ext ID belongs to account before delete

When deleting a newly created account because setting the username has failed (and the realm doesn't allow editing the username) the external ID for the username must only be deleted if it belongs to the new account. Deleting external IDs is done by primary key and the primary key of the ACCOUNT_EXTERNAL_IDS table consists only of the external ID, hence we must check that the account ID matches before deleting the exernal ID. Otherwise we may remove an external ID that is used by another account. Change-Id: I8bba5e2780f74e24a30ea96f414c583c2d351577 Signed-off-by: Edwin Kempin <ekempin@google.com>
2016-12-09 09:35:31 +01:00
parent f891ecb541
commit 352be569f9
1 changed files with 3 additions and 1 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountManager.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountManager.java
@@ -351,7 +351,9 @@ public class AccountManager {
      // this is why the best we can do here is to fail early and cleanup
      // the database
      db.accounts().delete(Collections.singleton(account));
-      db.accountExternalIds().delete(Collections.singleton(extId));
+      if (account.getId().equals(extId.getAccountId())) {
+        db.accountExternalIds().delete(Collections.singleton(extId));
+      }
      throw new AccountUserNameException(errorMessage, e);
    }
  }