Creates Backend for Merging User Accounts #117
Conversation
| } | ||
| } | ||
| numAuditLogsCreated = len(auditLogsToCreate) | ||
|
|
There was a problem hiding this comment.
Option I'm considering: we could do a lookup (by owner + by user) of each of the entity groups just transferred to ensure they're no longer present (similar to what I did at the end of the TXN to transfer audit log ownership). I'd like to hear your thoughts on whether that's a good idea - particularly because the db.DeleteUser call will then delete these elements if they don't transfer.
cmd/server/pactasrv/admin.go
Outdated
| // Note we do an audit log transfer FIRST so that we don't transfer the audit logs generated from the transfer itself. | ||
| nal, err := s.DB.TransferAuditLogOwnership(tx, sourceUID, destUID, sourceOwner, destOwner) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to transfer audit log ownership: %w", err) | ||
| } | ||
| numAuditLogs = nal |
There was a problem hiding this comment.
I'd consider not moving existing audit logs, it seems tricky and error-prone, and breaks the idea that audit logs are "write-only".
If it's important to show the merged user info in the UI for this stuff, I'd record merges in a separate table (also without FKCs), and then just do that mapping when users look at the audit logs. A bit more work on the read-side, but it's a straightforward mapping and it removes a bunch of nuance around audit logs.
Instead of a separate table, you could use the TRANSFER_OWNERSHIP logs to get the same info, though that make audit logs "load-bearing"
There was a problem hiding this comment.
I generally agree that editing audit logs is an unstable paradigm.
I think what you propose is also dangerous however, because it introduces much less stable semantics around how audit logs can be accessed and retrieved, which are also an important security end. My thought with doing the data modification in place is that we only have to navigate the complexity of "who should get access to what" at exactly one juncture, and then afterwards queries and reads and creates all need no modification.
I agree using TRANSFER_OWNERSHIP logs is a nightmare which we don't want to descend into.
Not sure how to resolve/move forward on this one.
Discussed this offline and was sufficently convinced that it's important for us to never edit these. Added some new mechanisms for recursively expanding the set of users used for a query, which will allow audit logs that reference via queries old entities to be visible post-merge. |
User Merge is apparently a frequent support flow, and required some delicate thinking around audit logs. This PR implements the backend for it.
Additional changes:
TRANSFER_OWNERSHIPDeleteOwnerDB methodDeleteUserto do the recursive deletion of their owned assets + return blobURIs/delete-userto delete the downstream blobs.