Bug #38243 Not Handling non existing user when calling AddUsersToRoles method
Submitted: 19 Jul 2008 22:23 Modified: 25 Jul 2008 9:25
Reporter: Marouane BOUZOUBAA Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / NET Severity:S3 (Non-critical)
Version:5.2.2 OS:Any
Assigned to: CPU Architecture:Any
Tags: Membership Provider, Role Provider

[19 Jul 2008 22:23] Marouane BOUZOUBAA
Description:
the method AddUsersToRoles tests for valid roles and checks for whether the user in in role but does not throw an exception when the user is not a membership. this is because the method:
int roleId = GetRoleId(connection, rolename);

converts null to int as 0, meaning that the userId end up being 0.

an invalid row is inserted after that.

How to repeat:
call AddUsersToRoles method with an invalid user and a valid role.

Suggested fix:
i fixed it by adding a test on the userId :

                            int userId = GetUserId(connection, username);
                            if (userId == 0)
                            {
            throw new ProviderException(Resources.UsernameNotFound);
                            }
[21 Jul 2008 21:45] Reggie Burnett
This one is verified but not in the way the user thinks.  The provider should not throw an exception but should silently create the user if it doesn't exist.  Note that a user record is not the same thing as a membership record.
[21 Jul 2008 21:48] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/50148
[21 Jul 2008 21:48] Reggie Burnett
Fixed in 5.2.3
[25 Jul 2008 9:25] Tony Bedford
An entry was added to the 5.2.3 changelog:

The provider did not silently create the user if the user did not exist.