Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-20434

PublicAPI : Deleting a User with an Image attribute, with no Image set, causes the installation root to be recursively removed

    Details

    • Sprint:
      Stetind Sprint 6

      Description

      Through the Public API, removing a User object with an empty (no value) Image attribute will trigger a recursive delete on the installation root.

      1. Removing the User triggers a delete operation on all its attributes,
      2. The Image attribute will trigger a file-system delete on its stored image data
      3. LocalFileService::remove will receive a blank string "" from the ImageStore::deleteFieldData method
      4. LocalFileService::remove will in turn use LocalFileService::getFullPath to turn that into an absolute path, relative to the installation root. This absolute path, since it's being built out of <installation root> + <nothing>, is simply an absolute path to the installation root.
      5. Since the $recursive argument is true, this will cause a recursive delete on the entire installation root .

        Activity

        Hide
        Filipe Dobreira (Inactive) added a comment - - edited

        Proposed fix: https://github.com/ezsystems/ezpublish-kernel/pull/222

        My PR is a bit of a heavy-handed solution that may not be ideal (although maybe explicitly requiring at least a ./ as an argument may not be such a bad idea). Another solution would be to individually secure all the services that talk to LocalFileService::remove and making sure that they don't try to act on nothing-ness.

        Show
        Filipe Dobreira (Inactive) added a comment - - edited Proposed fix: https://github.com/ezsystems/ezpublish-kernel/pull/222 My PR is a bit of a heavy-handed solution that may not be ideal (although maybe explicitly requiring at least a ./ as an argument may not be such a bad idea). Another solution would be to individually secure all the services that talk to LocalFileService::remove and making sure that they don't try to act on nothing-ness.
        Show
        André Rømcke added a comment - Merged in https://github.com/ezsystems/ezpublish-kernel/commit/1218b113709fe44c54022f91400c741c71cbd189
        Hide
        Marcos Loureiro (Inactive) added a comment -

        The recursively remove of root is fixed but now everytime we want to delete an user without image we get the exception so there is no way for deleting it.

        I've found that when we do:
        -> create an user by public API setting only the minimum fields (first_name, last_name, email, username, password)
        -> open newly created user on admin2 (with details opened)

        got the error on attachment: create_user_error.png

        This error refer an image alias that might be the problem.

        Show
        Marcos Loureiro (Inactive) added a comment - The recursively remove of root is fixed but now everytime we want to delete an user without image we get the exception so there is no way for deleting it. I've found that when we do: -> create an user by public API setting only the minimum fields (first_name, last_name, email, username, password) -> open newly created user on admin2 (with details opened) got the error on attachment: create_user_error.png This error refer an image alias that might be the problem.
        Hide
        André Rømcke added a comment -

        Proposed PR for fixing the code that tries to delete binary files with empty paths:
        https://github.com/ezsystems/ezpublish-kernel/pull/239

        Show
        André Rømcke added a comment - Proposed PR for fixing the code that tries to delete binary files with empty paths: https://github.com/ezsystems/ezpublish-kernel/pull/239
        Show
        André Rømcke added a comment - Merged in https://github.com/ezsystems/ezpublish-kernel/commit/1529329beb173475538d68b8b9ce1ad64ae52f38
        Hide
        Marcos Loureiro (Inactive) added a comment -

        QA Approved
        ( tc-1512 )

        However the referenced problem on the creation of an user is at:
        https://jira.ez.no/browse/EZP-20499

        Show
        Marcos Loureiro (Inactive) added a comment - QA Approved ( tc-1512 ) However the referenced problem on the creation of an user is at: https://jira.ez.no/browse/EZP-20499

          People

          • Assignee:
            Unassigned
            Reporter:
            Filipe Dobreira (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 4 hours Original Estimate - 4 hours
              4h
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 1 day, 5 hours, 17 minutes
              1d 5h 17m

                Agile