Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

AI OnAI Off

Duplicate users in CMS possible causing exception

Tim Schmelter
Tim Schmelter
Vote:
 

It seems to be possible to create duplicate users. We have 2 users which cause a 500 if you try to look at their user-profile(Admin>Search user/group>click):

System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.ArgumentException: An item with the same key has already been added.
   at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
   at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
   at System.Collections.Generic.Dictionary`2.System.Collections.IDictionary.Add(Object key, Object value)
   at EPiServer.Data.Serialization.Internal.CollectionHandler.CreateCollection(Type runtimeCollectionType, ArrayList keys, ArrayList values, LoadingContext context, Func`3 processItem)
   at EPiServer.Data.Serialization.Internal.CollectionHandler.CreateCollection(Type runtimeCollectionType, ArrayList keys, ArrayList values)
   at EPiServer.Data.Dynamic.Providers.Internal.DbDataStoreProvider.LoadCollection(ProviderCallContext context, PropertyMap propertyMap)
   at EPiServer.Data.Dynamic.Providers.Internal.DbDataStoreProvider.LoadReferencesAndCollections(ProviderCallContext ctx)
   at EPiServer.Data.Dynamic.Providers.Internal.DbDataStoreProvider.LoadObject(ProviderCallContext context)
   at EPiServer.Data.Providers.Internal.SqlDatabaseExecutor.<>c__DisplayClass31_0`1.<Execute>b__0()
   at EPiServer.Data.Providers.SqlTransientErrorsRetryPolicy.Execute[TResult](Func`1 method)
   at EPiServer.Data.Dynamic.DynamicDataStore.InternalLoad(Identity id, Type type, LoadAsObjectType loadAs, ProviderCallContext parentContext)
   at EPiServer.Data.Dynamic.Internal.EPiServerDynamicDataStore.Load[TResult](Identity id)
   at EPiServer.Data.Dynamic.Internal.DynamicDataCollection`1.DynamicDataCollectionEnumerator.get_Current()
   at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source)
   at EPiServer.Shell.Profile.ProfileRepository.GetProfile(String userName)
   at EPiServer.UI.Edit.UserGuiSettings.LoadSettings(String userName, EPiServerProfile data)
   at EPiServer.UI.Edit.UserMembership.Init

I have tried to delete these users:

DELETE FROM  [dbo].[AspNetUsers]
WHERE Email in ('problem_email')

But the customer reported the same issue again after he re-created that user later.

What is causing this issue and how to prevent it? It's obvious that Epi tries to add a key twice to the dictionary, but what key and where is it stored?

#305287
Edited, Jul 17, 2023 8:08
Paul McGann (Netcel)
Paul McGann (Netcel)
Vote:
 

Hi Tim,

Could I ask which membership provider you are using? SQL, AspNetIdentity, AAD, etc?

Thanks

Paul

#305290
Jul 17, 2023 16:18
Tim Schmelter - Jul 17, 2023 18:18
We're using AspNet Identity with OpenIdConnect and ForgeRock. So the users are in the table AspNetUsers. It's working without issues since december 2021.

I thought it would be enough to delete them there with;
DELETE FROM AspNetUsers WHERE UserName = 'username'

Now i have used the sql profiler to see what Epi does when i delete a user. Maybe this should work?

DECLARE @username NVARCHAR(4000) = N'username';
exec netContentAclDeleteEntity @Name=@username,@IsRole=0
exec netPermissionDeleteMembership @Name=@username,@IsRole=0

DELETE [dbo].[AspNetUsers] WHERE LOWER(UserName)=@username

DELETE [dbo].[Profiles] WHERE UserId = (SELECT UserId FROM [dbo].[Users] WHERE LOWER(UserName)=@username)
DELETE [dbo].[Users] WHERE LOWER(UserName)=@username

DELETE FROM [dbo].[tblBigTableIdentity] WHERE PkId=(SELECT pkId FROM dbo.tblSystemBigTable WHERE LOWER(String01)=@username)
DELETE FROM [dbo].[tblSystemBigTable] WHERE LOWER(String01)=@username
Surjit Bharath
Surjit Bharath
Vote:
 

have you established if there's duplicate entries in the database?

Is the issue occuring for one of your users or all your users?

#305296
Jul 17, 2023 17:01
Tim Schmelter - Jul 17, 2023 18:20
There is no duplicate user(in AspNetUsers) but there is a duplicate key in an Epi dictionary if i call the user's profile page in CMS. So you cannot edit or delete these users(2 had the issue). So some´where the profile data is corrupt.
Surjit Bharath - Jul 19, 2023 20:18
Since forgerock is a federated authentication provider...by any chance has the customer registered twice through two different IDPs? I don't know what the key dictionary is using (I'm assuming its email or maybe a composite) but maybe that's what's knocking it out?
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.