search

2amigos / yii2-usuario

Highly customizable and extensible user management, authentication, and authorization Yii2 extension
https://github.com/2amigos/yii2-usuario
Other
294 stars 142 forks source link

Auth assignment is not removed when user is deleted #126

Open Eseperio opened 6 years ago

Eseperio commented 6 years ago

What steps will reproduce the problem?

Create a user, assign a role or permission. Then delete that user.

What is the expected result?

Auth assignments should be removed.

What do you get instead?

Auth assigments stay in db. If users table is replaced with new data users will inherit all users permisions.

kartik-v commented 6 years ago

The foreign key constraint of all related tables to the user table tbl_user with ON DELETE CASCADE configuration can be a solution to mitigate above.

tonydspaniard commented 6 years ago

Agreed with @kartik-v, any help?

kartik-v commented 6 years ago

The fix could be to add these foreign key ON DELETE CASCADE constraints in the yii2-usuario migration scripts via ALTER TABLE commands. Currently the documentation suggests to use yii2 default rbac migration at yii/rbac/migrations... this may need to change and the rbac database creation scripts may need to be included within the yii2-usuario migrations here... and the dependency on yii/rbac/migrations can be removed.

Having said that ... not sure why a foreign key constraint for assignmentTable has not been added in yii/rbac/migrations source in the first place - then the integrity check would have been maintained then and there (irrespective of whether the ON DELETE CASCADE constraint exists or not). But I realised that the user module and user table is not a part of core yii framework or its core rbac migration script and hence the constraint is not included.

If we need to retain yii\rbac\migrations.. maybe a third migration script that could be run after the rbac migration script to alter the auth_assignment table and incorporate the foreign key constraint would be useful - or you need to ensure that yii\rbac\migrations is run before the yii2-usuario migrations.

tsdogs commented 6 years ago

I understand that creating the foreign key would solve the problem, though in this case I'd implement the part that simply deletes the assignments when the User model is deleted in the afterDelete() event.

maxxer commented 6 years ago

I'd go for the afterDelete solution too...

TerraSkye commented 6 years ago

I'd agree with @kartik-v it will be rezolved with 1 delete query. Else you will have multiple and have to make sure everything works as expected..