From 161bb1ec75e725a3d6055dddc32a2074dec6f909 Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Sun, 16 Jan 2022 03:24:38 +0400 Subject: [PATCH 1/2] fix: delete user and sessions when deleting a user --- app/workers/deletes.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/app/workers/deletes.php b/app/workers/deletes.php index f4fd667d2a..2dacff626b 100644 --- a/app/workers/deletes.php +++ b/app/workers/deletes.php @@ -190,7 +190,14 @@ class DeletesV1 extends Worker { $userId = $document->getId(); - // Tokens and Sessions removed with user document + // Delete all sessions of this user + $this->deleteByGroup('sessions', [ + new Query('userId', Query::TYPE_EQUAL, [$userId]) + ], $this->getProjectDB($projectId)); + + // Delete user ( tokens are deleted as part of the user object ) + $this->deleteById($document, $this->getProjectDB($projectId)); + // Delete Memberships and decrement team membership counts $this->deleteByGroup('memberships', [ new Query('userId', Query::TYPE_EQUAL, [$userId]) From 6238fcc46a57552699c5dbf4f49dc1d714f28778 Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Sun, 16 Jan 2022 05:02:13 +0400 Subject: [PATCH 2/2] fix: reset user attrbites and do not delete user --- app/controllers/api/users.php | 7 +++++++ app/workers/deletes.php | 14 ++++++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/app/controllers/api/users.php b/app/controllers/api/users.php index 61a9e24a41..ff64259409 100644 --- a/app/controllers/api/users.php +++ b/app/controllers/api/users.php @@ -725,6 +725,11 @@ App::delete('/v1/users/:userId') throw new Exception('User not found', 404); } + /** + * DO NOT DELETE THE USER RECORD ITSELF. + * WE RETAIN THE USER RECORD TO RESERVE THE USER ID AND ENSURE THAT THE USER ID IS NOT REUSED. + */ + // clone user object to send to workers $clone = clone $user; @@ -733,6 +738,8 @@ App::delete('/v1/users/:userId') ->setAttribute("email", null) ->setAttribute("password", null) ->setAttribute("deleted", true) + ->setAttribute("tokens", []) + ->setAttribute("search", null) ; $dbForProject->updateDocument('users', $userId, $user); diff --git a/app/workers/deletes.php b/app/workers/deletes.php index 2dacff626b..8caf7ddb23 100644 --- a/app/workers/deletes.php +++ b/app/workers/deletes.php @@ -188,15 +188,21 @@ class DeletesV1 extends Worker */ protected function deleteUser(Document $document, string $projectId): void { + /** + * DO NOT DELETE THE USER RECORD ITSELF. + * WE RETAIN THE USER RECORD TO RESERVE THE USER ID AND ENSURE THAT THE USER ID IS NOT REUSED. + */ + $userId = $document->getId(); + $user = $this->getProjectDB($projectId)->getDocument('users', $userId); - // Delete all sessions of this user + // Delete all sessions of this user from the sessions table and update the sessions field of the user record $this->deleteByGroup('sessions', [ new Query('userId', Query::TYPE_EQUAL, [$userId]) ], $this->getProjectDB($projectId)); - - // Delete user ( tokens are deleted as part of the user object ) - $this->deleteById($document, $this->getProjectDB($projectId)); + + $user->setAttribute('sessions', []); + $updated = Authorization::skip(fn() => $this->getProjectDB($projectId)->updateDocument('users', $userId, $user)); // Delete Memberships and decrement team membership counts $this->deleteByGroup('memberships', [