After update of HDM container a User logs in via LDAP and sees another username in the top right corner

betadots / hdm

The Hiera Data Manager (HDM) is a Web UI to visualize Hiera data and make it searchable!

GNU Affero General Public License v3.0

20 stars 4 forks source link

After update of HDM container a User logs in via LDAP and sees another username in the top right corner #292

Open tuxmea opened 9 months ago

tuxmea commented 9 months ago

sqlite DB:

sqlite> select * from users;
1|FOO|BAR|foo@bar|$2a$12$svvJVM.q4gwYpieurhfghß807z40ghbpiiq74r80gpb|2024-02-01 09:21:06.683785|2024-02-01 09:21:06.683785|admin
2|FOO2|BAR2|FOO2@BAR2||2024-02-01 09:23:11.898160|2024-02-01 09:23:11.898160|regular
3|FOO3|BAR3|FOO3@BAR3||2024-02-02 21:09:12.507811|2024-02-02 21:09:12.507811|regular

User FOO3 logs in and sees account data from user FOO2.

After logout and new log in user FOO3 sees his own account.

Seems to be related to HDM update as no other changes were done.

oneiros commented 9 months ago

There is only one scenario I can think of where this could happen. Is it possible that the update wiped the database?

Even in the case of LDAP users we save user records to the database. And the user session is bound to the database id of the user.

So the following could happen: User FOO3 signs in and gets the database ID 2. An update is installed that wipes the database. FOO2 signs in and gets the database ID 2 in the newly created database. User FOO3's session is still valid, so no new sign-in is necessery. HDM now thinks FOO3 is FOO2.

tuxmea commented 9 months ago

TODO: check with customer if the DB is inside the container or outside of the container.