Skip to content

fix: improve _is_user_object_admin query performance#6537

Merged
gagantrivedi merged 1 commit intomainfrom
fix/permission-check-query-performance
Jan 19, 2026
Merged

fix: improve _is_user_object_admin query performance#6537
gagantrivedi merged 1 commit intomainfrom
fix/permission-check-query-performance

Conversation

@gagantrivedi
Copy link
Copy Markdown
Member

@gagantrivedi gagantrivedi commented Jan 16, 2026
edited
Loading

Thanks for submitting a PR! Please check the boxes below:

  • I have read the Contributing Guide.
  • I have added information to docs/ if required so people know about the feature.
  • I have filled in the "Changes" section below.
  • I have filled in the "How did you test this code" section below.

Changes

The original _is_user_object_admin() implementation used a single combined query with OR conditions across user, group, and role permissions. This caused Django ORM to generate LEFT OUTER JOINs, resulting in cartesian product explosion and slow queries on large datasets.

Replace with separate queries using early returns:

  1. Organisation membership check (security + fast fail)
  2. Direct user permission check
  3. Group permission check
  4. Role permission check (RBAC, if enabled)

How did you test this code?

  • Added tests for early exit behaviour with expected query counts
  • Manually verified that the generated SQL ran under a millisecond on the production database

@gagantrivedi gagantrivedi requested a review from a team as a code owner January 16, 2026 09:57
@gagantrivedi gagantrivedi requested review from Zaimwa9 and removed request for a team January 16, 2026 09:57
@vercel
Copy link
Copy Markdown

vercel Bot commented Jan 16, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments
Project Deployment Review Updated (UTC)
docs Ignored Ignored Preview Jan 16, 2026 10:19am
flagsmith-frontend-preview Ignored Ignored Preview Jan 16, 2026 10:19am
flagsmith-frontend-staging Ignored Ignored Preview Jan 16, 2026 10:19am

Review with Vercel Agent

@github-actions github-actions Bot added api Issue related to the REST API fix labels Jan 16, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 16, 2026
edited
Loading

Docker builds report

Image Build Status Security report
ghcr.io/flagsmith/flagsmith-api-test:pr-6537 Finished ✅ Skipped
ghcr.io/flagsmith/flagsmith-e2e:pr-6537 Finished ✅ Skipped
ghcr.io/flagsmith/flagsmith-frontend:pr-6537 Finished ✅ Results
ghcr.io/flagsmith/flagsmith-api:pr-6537 Finished ✅ Results
ghcr.io/flagsmith/flagsmith:pr-6537 Finished ✅ Results
ghcr.io/flagsmith/flagsmith-private-cloud:pr-6537 Finished ✅ Results

@gagantrivedi gagantrivedi force-pushed the fix/permission-check-query-performance branch from d239ef2 to b5fe441 Compare January 16, 2026 10:08
@github-actions github-actions Bot added fix and removed fix labels Jan 16, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Jan 16, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.08%. Comparing base (c2e18bc) to head (8ca1162).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #6537   +/-   ##
=======================================
  Coverage   98.08%   98.08%           
=======================================
  Files        1293     1293           
  Lines       46588    46608   +20     
=======================================
+ Hits        45696    45716   +20     
  Misses        892      892

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gagantrivedi
fix: improve _is_user_object_admin query performance
8ca1162 
The original implementation used a single combined query with OR conditions
across user, group, and role permissions. This caused Django ORM to generate
LEFT OUTER JOINs, resulting in cartesian product explosion and slow queries
(~1000ms) on large datasets.

Replace with separate queries using early returns:
1. Organisation membership check (security + fast fail)
2. Direct user permission check
3. Group permission check
4. Role permission check (RBAC, if enabled)

Each query uses INNER JOINs and returns as soon as permission is found.
Follows the same pattern as get_object_id_from_base_permission_filter().
@gagantrivedi gagantrivedi force-pushed the fix/permission-check-query-performance branch from b5fe441 to 8ca1162 Compare January 16, 2026 10:19
@github-actions github-actions Bot added fix and removed fix labels Jan 16, 2026
@gagantrivedi gagantrivedi merged commit 04df8d5 into main Jan 19, 2026
30 checks passed
@gagantrivedi gagantrivedi deleted the fix/permission-check-query-performance branch January 19, 2026 04:38
@flagsmithdev flagsmithdev mentioned this pull request Jan 16, 2026
Merged
@gagantrivedi gagantrivedi mentioned this pull request Jan 19, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@khvn26 khvn26 khvn26 approved these changes

@Zaimwa9 Zaimwa9 Awaiting requested review from Zaimwa9 Zaimwa9 is a code owner automatically assigned from Flagsmith/flagsmith-back-end

Assignees

No one assigned

Labels

api Issue related to the REST API fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gagantrivedi @khvn26