- Notifications
You must be signed in to change notification settings - Fork1.1k
feat: push GetUsers authorization filter to SQL#8497
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Uh oh!
There was an error while loading.Please reload this page.
| users=append(users,user) | ||
| } | ||
| // Filter out deleted since they should never be returned.. | ||
| tmp:=make([]database.User,0,len(users)) | ||
| for_,user:=rangeusers { | ||
| if!user.Deleted { | ||
| tmp=append(tmp,user) | ||
| } | ||
| } | ||
| users=tmp | ||
| ifparams.Search!="" { | ||
| tmp:=make([]database.User,0,len(users)) | ||
| fori,user:=rangeusers { | ||
| ifstrings.Contains(strings.ToLower(user.Email),strings.ToLower(params.Search)) { | ||
| tmp=append(tmp,users[i]) | ||
| }elseifstrings.Contains(strings.ToLower(user.Username),strings.ToLower(params.Search)) { | ||
| tmp=append(tmp,users[i]) | ||
| } | ||
| } | ||
| users=tmp | ||
| } | ||
| iflen(params.Status)>0 { | ||
| usersFilteredByStatus:=make([]database.User,0,len(users)) | ||
| fori,user:=rangeusers { | ||
| ifslice.ContainsCompare(params.Status,user.Status,func(a,b database.UserStatus)bool { | ||
| returnstrings.EqualFold(string(a),string(b)) | ||
| }) { | ||
| usersFilteredByStatus=append(usersFilteredByStatus,users[i]) | ||
| } | ||
| } | ||
| users=usersFilteredByStatus | ||
| } | ||
| iflen(params.RbacRole)>0&&!slice.Contains(params.RbacRole,rbac.RoleMember()) { | ||
| usersFilteredByRole:=make([]database.User,0,len(users)) | ||
| fori,user:=rangeusers { | ||
| ifslice.OverlapCompare(params.RbacRole,user.RBACRoles,strings.EqualFold) { | ||
| usersFilteredByRole=append(usersFilteredByRole,users[i]) | ||
| } | ||
| } | ||
| users=usersFilteredByRole |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
All this is done by theGetUsers call
Uh oh!
There was an error while loading.Please reload this page.
johnstcn left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
You can argue that this is a refactor
Uh oh!
There was an error while loading.Please reload this page.
Prereq to#8447
What this does
This pushes the GetUsers authorization filter into SQL. So all authz checks are done by the SQL
WHEREclause.This is probably not a performance increase, but makes fetching users and the number of users correct if we change permissions.
In the current codebase we allow all users to read all other users. Because of this assumption,
GetUserswas lazy in how it handled user counts. If permissions were changed, this value would be inaccurate and leak the total number of users to a caller who does not have permission to know this value.Removes
GetAuthorizedUserCountandGetFilteredUserCountas it is no longer needed.