marcel/familienarchiv
1
0
Fork 0
Code Issues 118 Pull Requests 2 Actions 4 Packages Projects Releases Wiki Activity

bug(user): UserDataInitializer blind-INSERTs Administrators group; fails on retry (HIGH, prod-blocking) #518

New Issue
Closed
opened 2026-05-11 17:25:37 +02:00 by marcel · 0 comments
marcel commented 2026-05-11 17:25:37 +02:00
Owner
Copy Link

Summary

UserDataInitializer.initAdminUser does a blind groupRepository.save(adminGroup) for Administrators. If a previous boot got partway through the seed (created the group but failed the admin user, OR seeded an admin with a different email that later got cleaned up while leaving the group), the next boot violates the unique constraint user_groups_name_key on name and the application context fails to load.

This is exactly the recovery path operators take to fix a misconfigured admin (delete the bad user, restart, expect re-seed). The recovery path is currently a foot-gun.

Code

// UserDataInitializer.java:50-54
UserGroup adminGroup = UserGroup.builder()
        .name("Administrators")
        .permissions(Set.of("ADMIN", ...))
        .build();
groupRepository.save(adminGroup);   // blind INSERT

The same file already uses findByName(...).orElseGet(...) correctly in initE2EData for the "Leser" group.

Reproduction (just observed on staging)

  1. Boot with the wrong admin email — group + user get created.
  2. Operator fixes APP_ADMIN_USERNAME, deletes the orphan user + group via psql, restarts.
  3. Boot retries: findByEmail(newEmail).isEmpty() == true → proceeds to seed → groupRepository.save(new UserGroup("Administrators"))ERROR: duplicate key value violates unique constraint "user_groups_name_key".

(In our case the orphan group was on the previous boot's seed — the row had to be manually DELETEd from user_groups, group_permissions, and app_users_groups to unblock.)

Impact

  • 🔴 Production blocker. Any failed-then-retried admin seed (network blip, profile-check throw, env-var fix) leaves the backend unable to start until a DB admin manually wipes the group.
  • 🟡 Staging recovery friction. Just blocked us live during the #497 first deploy.

Fix

UserGroup adminGroup = groupRepository.findByName("Administrators").orElseGet(() ->
    groupRepository.save(UserGroup.builder()
            .name("Administrators")
            .permissions(Set.of("ADMIN", "READ_ALL", "WRITE_ALL", "ANNOTATE_ALL",
                                "ADMIN_USER", "ADMIN_TAG", "ADMIN_PERMISSION"))
            .build()));

Plus a test in AdminSeedFailClosedTest (or a new test file) that pins this idempotency: given a pre-existing Administrators group, a fresh admin seed must succeed and use that group, not throw.

Discovered

While retrying the staging seed after #513 + #514 + #515 + #517 landed — initial boot had seeded the wrong admin, and the post-fix boot retried into the constraint.

## Summary `UserDataInitializer.initAdminUser` does a blind `groupRepository.save(adminGroup)` for `Administrators`. If a previous boot got partway through the seed (created the group but failed the admin user, OR seeded an admin with a different email that later got cleaned up while leaving the group), the next boot violates the unique constraint `user_groups_name_key` on `name` and the application context fails to load. This is exactly the recovery path operators take to fix a misconfigured admin (delete the bad user, restart, expect re-seed). The recovery path is currently a foot-gun. ## Code ```java // UserDataInitializer.java:50-54 UserGroup adminGroup = UserGroup.builder() .name("Administrators") .permissions(Set.of("ADMIN", ...)) .build(); groupRepository.save(adminGroup); // blind INSERT ``` The same file already uses `findByName(...).orElseGet(...)` correctly in `initE2EData` for the "Leser" group. ## Reproduction (just observed on staging) 1. Boot with the wrong admin email — group + user get created. 2. Operator fixes APP_ADMIN_USERNAME, deletes the orphan user + group via psql, restarts. 3. Boot retries: `findByEmail(newEmail).isEmpty() == true` → proceeds to seed → `groupRepository.save(new UserGroup("Administrators"))` → `ERROR: duplicate key value violates unique constraint "user_groups_name_key"`. (In our case the orphan group was on the previous boot's seed — the row had to be manually DELETEd from `user_groups`, `group_permissions`, and `app_users_groups` to unblock.) ## Impact - **🔴 Production blocker.** Any failed-then-retried admin seed (network blip, profile-check throw, env-var fix) leaves the backend unable to start until a DB admin manually wipes the group. - **🟡 Staging recovery friction.** Just blocked us live during the #497 first deploy. ## Fix ```java UserGroup adminGroup = groupRepository.findByName("Administrators").orElseGet(() -> groupRepository.save(UserGroup.builder() .name("Administrators") .permissions(Set.of("ADMIN", "READ_ALL", "WRITE_ALL", "ANNOTATE_ALL", "ADMIN_USER", "ADMIN_TAG", "ADMIN_PERMISSION")) .build())); ``` Plus a test in `AdminSeedFailClosedTest` (or a new test file) that pins this idempotency: given a pre-existing Administrators group, a fresh admin seed must succeed and *use* that group, not throw. ## Discovered While retrying the staging seed after #513 + #514 + #515 + #517 landed — initial boot had seeded the wrong admin, and the post-fix boot retried into the constraint.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P0-critical
Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.
 P1-high
Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.
 P2-medium
Noticeable improvement; doesn't block anything; schedule opportunistically.
 P3-later
Cosmetic or parking-lot work; fine to stay open indefinitely.
 audit
Read-only audit / assessment work; produces a report rather than changing code
 bug
Something isn't working
 cleanup
Removal of dead code, vague comments, naming violations, and scratch artifacts
 collaboration
We want to extend the family archive to have more collaboration tools
 conversation
descoped
We will do that later
 devops
documentation
README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs
 epic
Marker for epic-level issues that group multiple child issues
 feature
file-upload
legibility
Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction
 notification
person
phase-1: security
Security hygiene — must be done first
 phase-2: container-images
Production-ready multi-stage Docker images
 phase-3: prod-compose
Production compose overlay + Caddy reverse proxy
 phase-4: spring-prod-profile
Spring Boot production configuration profile
 phase-5: backups
Database and object storage backup strategy
 phase-6: deployment-docs
.env.example, DEPLOYMENT.md, runbook
 phase-7: monitoring
Prometheus, Loki, Grafana, Alertmanager
 refactor
Code restructuring without behaviour change
 security
test
ui
UI/UX and accessibility issues
 user
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jens marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/familienarchiv#518
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?