identities leak

[driici]

Today I came accross issue, when there were problem in postgres database:

Newly created user on roundcube should have same ID as allready created one (my own problem with wrongly configured sequence). Since no new user record can be created, error was logged, but I was unable to send email (failed authentication agains mail server). So far so good. But in Settings->Profiles (/?_task=settings&_action=identities) they`re were visible identities of other users, not only mine created.

DETAIL: Key (user_id)=(1476) already exists. (SQL Query: INSERT INTO "users" (" created", "last_login", "username", "mail_host", "language") VALUES (now(), now( ), '[email protected]', 'mailboy.xxx.cz', 'cs_CZ')) in /opt/roundcube /program/lib/Roundcube/rcube_db.php on line 543 (POST /?_task=login&_action=logi n)

Issue was resolved by manually altering sequence number. But Roundcube should not allow user to log-in if no user data can be correctly inserted into database.

[alecpl]

Looks like checking insert ID might not be enough here https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_user.php#L634. We have to use affected_rows() or is_error().

[hebbet]

looks like there is a = missing in that line, too.

[alecpl]

Fixed.