fix(organizations): Add select_related('organization') to membership checks#116350
fix(organizations): Add select_related('organization') to membership checks#116350sentry[bot] wants to merge 3 commits into
Conversation
…checks Fixes SENTRY-14KX check_membership_by_id and check_membership_by_email fetch an OrganizationMember without select_related('organization'). When serialize_member() then calls member.get_scopes(), it accesses self.organization (a ForeignKey), triggering a lazy-load query on the large sentry_organization table. In production this causes 9+ second queries on the hot path for trigger_action and other callers that go through get_organization_by_id with a user_id. Adding select_related('organization') ensures the Organization row is fetched in the same query, eliminating the expensive lazy load.
github-actions
Bot
added
the
Scope: Backend
markstory
added
the
Trigger: getsentry tests
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
github-actions
Bot
removed
the
Trigger: getsentry tests
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| assert len(core_queries) <= 4, ( | ||
| f"Expected at most 4 core member queries, got {len(core_queries)}:\n" | ||
| # Exactly 5 core queries, none of which scale with member count | ||
| assert len(core_queries) <= 5, ( |
There was a problem hiding this comment.
Bug: The test assertion in test_replace_members_query_count was increased from 4 to 5 queries without justification, potentially masking an unrelated performance regression.
Severity: MEDIUM
Suggested Fix
Investigate the source of the fifth query in the test_replace_members_query_count test. The query count should not be increased without understanding and justifying the new query. The test assertion should be reverted to <= 4 and the underlying cause of the extra query should be fixed or explicitly acknowledged.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: tests/sentry/core/endpoints/scim/test_scim_team_details.py#L386
Potential issue: The pull request increases the query count assertion in
`test_replace_members_query_count` from `<= 4` to `<= 5`. However, the code changes that
add `select_related("organization")` are not executed in this test's code path. This
indicates the fifth query is unrelated to the intended optimization. This change masks a
potential performance regression or a previously undetected query in the SCIM team
member replacement flow, which could allow future performance issues to go unnoticed.
Did we get this right? 👍 / 👎 to inform future reviews.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 1b51367. Configure here.
| f"Expected at most 4 core member queries, got {len(core_queries)}:\n" | ||
| # Exactly 5 core queries, none of which scale with member count | ||
| assert len(core_queries) <= 5, ( | ||
| f"Expected at most 5 core member queries, got {len(core_queries)}:\n" |
There was a problem hiding this comment.
Test filter matches unrelated query due to substring collision
Low Severity
The assertion was bumped from 4 to 5 because the is_fetch_new filter uses "IN" in sql, which is a naive substring check that now falsely matches the check_membership_by_id query. Adding select_related("organization") introduces INNER JOIN into that query's SQL, and the string "IN" is a substring of "INNER". This causes the auth/permission query to be incorrectly classified as a "core replace-path query." The docstring still lists only 4 queries, making it inconsistent with the assertion, and the test is now weaker at catching real N+1 regressions since the threshold was raised to accommodate a false positive in the filter logic.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 1b51367. Configure here.
2 participants
Summary
Fixes SENTRY-14KX
Adds
select_related("organization")tocheck_membership_by_idandcheck_membership_by_emailinDatabaseBackedOrganizationServiceto prevent an expensive lazy-load query onsentry_organization.Root Cause
check_membership_by_idfetches anOrganizationMembervia.get()withoutselect_related("organization"). Whenserialize_member()subsequently callsmember.get_scopes(), it accessesself.organization(a ForeignKey), which triggers a lazy-loadSELECTon the largesentry_organizationtable (9+ seconds in production).The call chain:
trigger_actiontask →get_organization_by_idRPC with auser_idget_organization_by_id→check_membership_by_idcheck_membership_by_id→serialize_member→member.get_scopes()get_scopes()accessesself.organization→ lazy-load → slow unoptimized queryFix
Add
select_related("organization")to theOrganizationMemberquery in bothcheck_membership_by_idandcheck_membership_by_email, so theOrganizationrow is fetched via a JOIN in the same query, eliminating the lazy load entirely.Changes
src/sentry/organizations/services/organization/impl.py:check_membership_by_id: Addedselect_related("organization")to the.get()callcheck_membership_by_email: Addedselect_related("organization")to the.get()call (same pattern, same fix)