Bug #52142 Deleting an MEM user doesn't prevent them from using an existing session
Submitted: 17 Mar 2010 14:46 Modified: 27 May 2010 13:13
Reporter: MC Brown Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Web Severity:S3 (Non-critical)
Version:2.2.0.1709 OS:Any
Assigned to: Josh Sled CPU Architecture:Any

[17 Mar 2010 14:46] MC Brown
Description:
If you create a user with rights to access the dashboard, let the user login, and then delete the user while that person is still logged in, they can continue to access MEM even though the user no longer exists. 

How to repeat:
1. Create a new user with access to MEM dashboard

2. Login in another browser/session with that user. 

3. Delete the user from MEM.

4. Continue to browse around as the now deleted, non-existent user. You can even continue to browse queries in QA.

Suggested fix:
Once a user has been deleted, any further access by that user should be prevented. 

From a security point of view, if I've deleted a user from the system, I expect their access to be immediately revoked.
[27 Apr 2010 9:38] Sveta Smirnova
Thank you for the report.

Verified as described, although this behavior is same as server, so can be considered as not a bug.
[27 Apr 2010 9:39] Sveta Smirnova
If considered as not a bug good to have it documented in MEM user manual.
[10 May 2010 16:11] Kevin Benton
Documented or not, it's a security flaw.  User permissions are stored in the server and deleting a user should immediately prevent the user from being able to do anything else whether or not that user has a session open.  Not doing that increases security risk.  A user with malicious intent that is deleted can still keep on messing things up.

The same is true in mysqld - any change to permissions should automatically flush any permissions cache and force any existing sessions to re-establish permissions immediately.

kbcmdba
[19 May 2010 19:03] Enterprise Tools JIRA Robot
Josh Sled writes: 
revno: 8081
revision-id: josh.sled@oracle.com-20100519190214-tsc6vx441mo5f92a
parent: josh.sled@oracle.com-20100519180823-ilayr4dvb5vnpj2w
committer: Josh Sled <josh.sled@oracle.com>
branch nick: 2.2
timestamp: Wed 2010-05-19 15:02:14 -0400
message:
  EM-4194: if the (db) user technically exists but is not active because they have been "deleted", treat that as the user not existing
[24 May 2010 16:46] Enterprise Tools JIRA Robot
Andy Bang writes: 
In build build 2.2.1.1721.
[24 May 2010 17:41] Enterprise Tools JIRA Robot
Marcos Palacios writes: 
Verified fixed in Monitor build 2.2.1.1721.
[27 May 2010 13:13] MC Brown
A note has been added to the 2.2.1 changelog: 

        Deleting a user while the user is currently logged in and                                                                                          
        using &merlin_client; would not prevent the user from                                                                                              
        continuing to use the &merlin_client;, even though the user no                                                                                     
        longer existed in the system.