Purchase request not updated on user merge


Well-known member
Affected version
When a user is merged, xf_purchase_request.user_id doesn't appear to be updated when updating various records linking to that user.

So if a user starts a user upgrade, and the merge occurs before site callback; the user upgrade will get into a failed state as the user the upgrade applies to no longer exists (or partially exists depending on timings).

There is a ContentChange::$updates which is a list of tables to be updated during a change, but this appears vulnerable to a race condition since it needs to incrementally work table-by-table.

So it is possible for an old record to be read, and then the rows to be updated resulting in lost updates. This is most likely to be seen with alerts on a highly active site, but the impact on a user-upgrade going missing when dealing with money is the most significant impact.
Last edited:
Top Bottom