Skip to content

fix(api): N+1 db query in GroupSerializerBase._get_permalink #29717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Zylphrex merged 1 commit into from
Nov 4, 2021
Merged

fix(api): N+1 db query in GroupSerializerBase._get_permalink #29717

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 15 additions & 12 deletions src/sentry/api/serializers/models/group.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,8 @@ def get_attrs(self, item_list, user):
# should only have 1 org at this point
organization_id = organization_id_list[0]

authorized = self._is_authorized(user, organization_id)

# find all the integration installs that have issue tracking
for integration in Integration.objects.filter(organizations=organization_id):
if not (
Expand Down Expand Up @@ -383,6 +385,7 @@ def get_attrs(self, item_list, user):
"resolution_type": resolution_type,
"resolution_actor": resolution_actor,
"share_id": share_ids.get(item.id),
"authorized": authorized,
}

result[item]["is_unhandled"] = bool(snuba_stats.get(item.id, {}).get("unhandled"))
Expand Down Expand Up @@ -447,38 +450,38 @@ def _get_status(self, attrs, obj):
status_label = "unresolved"
return status_details, status_label

def _get_permalink(self, obj, user):
def _is_authorized(self, user, organization_id):
# If user is not logged in and member of the organization,
# do not return the permalink which contains private information i.e. org name.
request = env.request
is_superuser = request and is_active_superuser(request) and request.user == user
if request and is_active_superuser(request) and request.user == user:
return True

# If user is a sentry_app then it's a proxy user meaning we can't do a org lookup via `get_orgs()`
# because the user isn't an org member. Instead we can use the auth token and the installation
# it's associated with to find out what organization the token has access to.
is_valid_sentryapp = False
if (
request
and getattr(request.user, "is_sentry_app", False)
and isinstance(request.auth, ApiToken)
):
is_valid_sentryapp = SentryAppInstallationToken.objects.has_organization_access(
request.auth, obj.organization
)
if SentryAppInstallationToken.objects.has_organization_access(
Copy link
Contributor

@mgaeta mgaeta Nov 2, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The condition can be simplified to:

def _is_authorized(self, user: User, organization_id: int) -> bool:
    # If user is not logged in and member of the organization,
    # do not return the permalink which contains private information i.e. org name.
    request = env.request

    return (
        request
        and (
            (is_active_superuser(request) and request.user == user)
            or (
                # If user is a sentry_app then it's a proxy user meaning we can't do a org lookup via `get_orgs()`
                # because the user isn't an org member. Instead we can use the auth token and the installation
                # it's associated with to find out what organization the token has access to.
                getattr(request.user, "is_sentry_app", False)
                and isinstance(request.auth, ApiToken)
                and SentryAppInstallationToken.objects.has_organization_access(
                    request.auth, organization_id
                )
            )
        )
    ) or (user.is_authenticated and user.get_orgs().filter(id=organization_id).exists())

This is definitely overkill but I think you could merge up the has_organization_access() call.

Copy link
Member Author

@Zylphrex Zylphrex Nov 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you say to merge up has_organization_access, do you mean to lift its contents inline into this function?

request.auth, organization_id
):
return True

if (
is_superuser
or is_valid_sentryapp
or (user.is_authenticated and user.get_orgs().filter(id=obj.organization.id).exists())
):
return user.is_authenticated and user.get_orgs().filter(id=organization_id).exists()
Copy link
Member Author

@Zylphrex Zylphrex Nov 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously, this was filtering on obj.organization.id but as per the comment here, it should always be the case that the organizations are the same on all the objs.


def _get_permalink(self, attrs, obj):
if attrs["authorized"]:
with sentry_sdk.start_span(op="GroupSerializerBase.serialize.permalink.build"):
return obj.get_absolute_url()
else:
return None

def serialize(self, obj, attrs, user):
status_details, status_label = self._get_status(attrs, obj)
permalink = self._get_permalink(obj, user)
permalink = self._get_permalink(attrs, obj)
is_subscribed, subscription_details = get_subscription_from_attributes(attrs)
share_id = attrs["share_id"]
group_dict = {
Expand Down
6 changes: 3 additions & 3 deletions src/sentry/models/sentryappinstallationtoken.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
from sentry.db.models import BaseManager, FlexibleForeignKey, Model

if TYPE_CHECKING:
from sentry.models import ApiToken, Organization
from sentry.models import ApiToken


class SentryAppInstallationTokenManager(BaseManager):
Expand Down Expand Up @@ -40,12 +40,12 @@ def get_projects(self, token: ApiToken) -> QuerySet:
organization_id=install_token.sentry_app_installation.organization_id
)

def has_organization_access(self, token: ApiToken, organization: Organization) -> bool:
def has_organization_access(self, token: ApiToken, organization_id: int) -> bool:
install_token = self._get_token(token)
if not install_token:
return False

return install_token.sentry_app_installation.organization_id == organization.id
return install_token.sentry_app_installation.organization_id == organization_id


class SentryAppInstallationToken(Model):
Expand Down