Actions
Patch #43668
closed
Serialize address limit checks during email_addresses#create
Description
Admins can define a maximum number of additional email addresses for a user.
However, email_addresses#create is prone to race conditions when checking this limit. If there are many parallel requests to create email addresses for a user, the user may be able to create more than allowed since the check may happen before the other addresses are created.
The attached patch fixes this by ensuring that the check and the subsequent address creation happen serially by explicitly locking the connected user in a transaction. The code is a bit manual as we can't use with_lock or lock! here, given that the User model overwrites the lock! method with unrelated functionality.
Files
Updated by 
Updated by
Actions