change order for access control checks and aquire account lock after global lock

2026-04-18 16:26:38 +00:00 · 2023-03-31 12:03:53 +02:00
parent 32c96c15b8
commit 110067c00f
2 changed files with 23 additions and 14 deletions
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -1126,7 +1126,6 @@ func (am *DefaultAccountManager) redeemInvite(account *Account, userID string) e
 // MarkPATUsed marks a personal access token as used
 func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
 	unlock := am.Store.AcquireGlobalLock()
-	defer unlock()

 	user, err := am.Store.GetUserByTokenID(tokenID)
 	if err != nil {
@@ -1138,6 +1137,15 @@ func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
 		return err
 	}

+	unlock()
+	unlock = am.Store.AcquireAccountLock(account.Id)
+	defer unlock()
+
+	account, err = am.Store.GetAccountByUser(user.Id)
+	if err != nil {
+		return err
+	}
+
 	pat, ok := account.Users[user.Id].PATs[tokenID]
 	if !ok {
 		return fmt.Errorf("token not found")