Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-24699

update_user_record function does not specify mnethostid when updating the user table

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.9.8
    • Fix Version/s: 1.9.11, 2.0
    • Component/s: Authentication
    • Labels:
      None
    • Database:
      MySQL
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE, MOODLE_20_STABLE

      Description

      Most of our users log in with external (Shibboleth) authentication. A lot of these queries show up in our MySQL slow query log.

      Count: 2  Time=1.00s (2s)  Lock=0.00s (0s)  Rows=0.0 (0), moodle[moodle]@localhost
       UPDATE mdl_user SET firstname = 'FIRST' WHERE username = 'user1@institution.edu'
       
      Count: 1  Time=1.00s (1s)  Lock=0.00s (0s)  Rows=0.0 (0), moodle[moodle]@localhost
       UPDATE mdl_user SET lastname = 'LAST' WHERE username = 'user2@institution.edu'
       
      Count: 1  Time=1.00s (1s)  Lock=0.00s (0s)  Rows=0.0 (0), moodle[moodle]@localhost
       UPDATE mdl_user SET email = 'user3@institution.edu' WHERE username = 'user3@institution.edu'
       
      Count: 2  Time=1.00s (2s)  Lock=0.00s (0s)  Rows=0.0 (0), moodle[moodle]@localhost
       UPDATE mdl_user SET institution = 'institution.edu' WHERE username = 'user4@institution.edu'
       
      Count: 1  Time=1.00s (1s)  Lock=0.00s (0s)  Rows=0.0 (0), moodle[moodle]@localhost
       UPDATE mdl_user SET idnumber = '123456789' WHERE username = 'user5@institution.edu'

      We tracked down these queries to a set_field function call in the update_user_record function in moodlelib.php. The user table has a unique key on the (mnethostid, username) pair but not on the username field alone. It also makes sense that (mnethostid, username) is unique and username is not, because users across different MNet sites can happen to have the same username. The set_field function call should have specified the mnethostid together with the username but it does not. Our site does not use MNet but if it did, the function call could have incorrectly updated records of more than one actual user.

      The same logic exists in the code we are using (1.9.8) as well as in MOODLE_19_WEEKLY and HEAD.

      Also, the update_user_record function updates multiple fields of a user record by calling the set_field function multiple time. They can be replaced with a single update_record function call.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  6 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    24/Nov/10