[M-3] deleteUser audit-log record fires after commit

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 3 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/AdminUserController.php:1004

Bug: Exception between commit and audit call would leave a deletion with no audit row.

Fix: Move AuditLog::record inside the try block, before commit.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:45pm

Resolved.

Moved AuditLog::record('admin.user_deleted', ...) inside the try block, before $this->db->commit() (src/Controllers/AdminUserController.php). A deleted user now always has a matching audit row — if anything throws between the DELETE and the audit, the whole transaction rolls back.

Locking this thread.

Related Discussions

[M-19] rotateSessionRecord default TTL differs from AuthMiddleware
Security Issues · 0 replies · 0 views
[H-7] HMAC payload shape differs between record() and verifyChain()
Security Issues · 0 replies · 1 views
[H-8] Audit chain integrity broken under concurrent record() calls
Security Issues · 0 replies · 0 views
Fires on the bench: prevention and response
Bench Safety · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy