Actions
Patch #43668
open
Serialize address limit checks during email_addresses#create
Status:
New
Priority:
Normal
Assignee:
-
Category:
Database
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Description
Admins can define a maximum number of additional email addresses for a user.
However, email_addresses#create is prone to race conditions when checking this limit. If there are many parallel requests to create email addresses for a user, the user may be able to create more than allowed since the check may happen before the other addresses are created.
The attached patch fixes this by ensuring that the check and the subsequent address creation happen serially by explicitly locking the connected user in a transaction. The code is a bit manual as we can't use with_lock or lock! here, given that the User model overwrites the lock! method with unrelated functionality.
Files
No data to display
Actions