#1608 User_delete event of Email class

v5.x
closed
nobody
None
5
2014-05-28
2014-05-05
No

I guess I found a bug in your objects...

Method "user_delete" of modules/email/classes/email.class.inc.php which is used as "user_delete" event uses wrong query to get em_accounts record for deletion:

$email->query("SELECT id FROM em_accounts WHERE id=?", "i", $user['id']);

From my opinion this condition should be
user_id = ?
similary as in same method/event of addressbook, calendar, tasks objects:

$sql = "SELECT id FROM ab_addressbooks WHERE user_id='".$ab2->escape($user['id'])."'";
$sql = "SELECT * FROM cal_calendars WHERE user_id='".$cal->escape($user['id'])."'";
$sql = "DELETE FROM ta_settings WHERE user_id=".$tasks->escape($user['id']);

Considering this bug, it can cause random deletion of wrong em_accounts records in case there is record in em_accounts with unfortunately same ID as go_users record.

I'm able to reproduce it on my testing 3.7.8 but I checked that same mistake in code is in 5.0.55.

Discussion

  • Michal Hampl

    Michal Hampl - 2014-05-05

    Ah, I was studying code of recent version more thoroughly and found that listeners system was updated at 4.1.X so the wrong code which is still there in 5.0.55 is probably not used. So please cancel this ticket or move to v3.x/v4.x group.

     
  • Merijn Schering

    Merijn Schering - 2014-05-28
    • status: open --> closed
     
  • Merijn Schering

    Merijn Schering - 2014-05-28

    This code is indeed no longer used. In 6.0 this code is also removed.

     


Anonymous

Cancel  Add attachments





Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks