-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Make user removal more resilient #47896
base: master
Are you sure you want to change the base?
Conversation
4648397
to
6c21dc7
Compare
lib/private/Authentication/Listeners/UserDeletedFilesCleanupListener.php
Fixed
Show fixed
Hide fixed
e58b96c
to
b714280
Compare
@blizzz I think you got a point here, we need to cover the case where |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not tested, but looking ok
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
01472dc
to
9b70c7e
Compare
$this->config->setUserValue($this->uid, 'core', 'deleted.backup-home', $this->getHome()); | ||
|
||
// Try to delete the user on the backend | ||
$result = $this->backend?->deleteUser($this->uid); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In what situation is $this->backend
null?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be honest: No idea. The backend is not required in the constructor and there are some code places where the user is constructed without any backend.
So two ways:
- Make this null safe as is now
- Or assert the backend is set and fail if not.
I like the idea, not sure I like the fact that it runs daily. |
It simply skips if there is nothing to do, otherwise it only does things in the maintenance window. |
Currently there is a problem if an exception is thrown in `User::delete`, because at that point the user is already removed from the backend, but not all data is deleted. There is no way to recover from this state, as the user is gone no information is available anymore. This means the data is still available on the server but can not removed by any API anymore. The solution here is to first set a flag and backup the user home, this can be used to recover failed user deletions in a way the delete can be re-tried. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
9b70c7e
to
b7fd9af
Compare
/backport to stable30 |
/backport to stable29 |
/backport to stable28 |
User::delete
failed #47900Summary
Currently there is a problem if an exception is thrown in
User::delete
, because at that point the user is already removed from the backend, but not all data is deleted.There is no way to recover from this state, as the user is gone no information is available anymore. This means the data is still available on the server but can not removed by any API anymore.
The solution here is to first set a flag and backup the user home, this can be used to recover failed user deletions in a way the delete can be re-tried.
Discussion
I am not 100% sure this is the best way, but as out API needs real user instances to delete user data, I think we need to go with the "FailedUsersBackend".
I tested this with injecting various exceptions in random places in the
User::delete
method and then let the background job cleanup the state. In my test cases this worked as expected.Checklist