fix a potential race condition for pre-login and ext auth

hooks doing something like this: err = provider.updateUser(u) ... return provider.userExists(username) could be racy if another update happen before provider.userExists(username) also pass a pointer to updateUser so if the user is modified inside "validateUser" we can just return the modified user without do a new query
2025-12-07 06:40:54 +03:00 · 2021-01-05 09:50:22 +01:00
parent 72b2c83392
commit daac90c4e1
26 changed files with 167 additions and 163 deletions
--- a/httpd/api_user.go
+++ b/httpd/api_user.go
@@ -115,7 +115,7 @@ func addUser(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-	err = dataprovider.AddUser(user)
+	err = dataprovider.AddUser(&user)
 	if err == nil {
 		user, err = dataprovider.UserExists(user.Username)
 		if err == nil {
@@ -181,7 +181,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "user ID in request body does not match user ID in path parameter", http.StatusBadRequest)
 		return
 	}
-	err = dataprovider.UpdateUser(user)
+	err = dataprovider.UpdateUser(&user)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 	} else {
@@ -204,7 +204,7 @@ func deleteUser(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
 	}
-	err = dataprovider.DeleteUser(user)
+	err = dataprovider.DeleteUser(&user)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", http.StatusInternalServerError)
 	} else {