Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sqlview): When current user in SQL view, do not cache #2911

Merged
merged 1 commit into from
Sep 30, 2024
Merged

fix(sqlview): When current user in SQL view, do not cache #2911

merged 1 commit into from
Sep 30, 2024

Conversation

benguaraldi
Copy link
Contributor

@benguaraldi benguaraldi commented Aug 21, 2024
edited by jira bot
Loading

This code implements the request from DHIS2-9300, namely that if ${_current_user_id} or ${_current_username} is in a SQL view, then the SQL view should not be allowed to cache, as caching would keep the same results in the SQL view if one user were to log in and another user were to log out.

@benguaraldi benguaraldi requested a review from Birkbjo August 21, 2024 19:26
@benguaraldi benguaraldi requested a review from tomzemp September 4, 2024 11:51
@Birkbjo
Copy link
Member

Birkbjo commented Sep 9, 2024

This is probably something that should ideally also be validated by the backend? This would help, but if it can actually be a security issue, then we should follow up with backend as well?

@jimgrace
Copy link
Member

jimgrace commented Sep 9, 2024

@Birkbjo I agree about backend support also. If the frontend is bypassed, and for preexisting SQL Views, the backend shouldn't cache the results when a SQL View specifies the current user. This could be done in either of two ways, whichever seems more reasonable to code:

  1. Force caching off when saving a the SQL view containing one of these constructs, and patch any such preexisting SQL Views, or
  2. Force a result not to be cached when executing a SQL View with one of these constructs

Note: @DavidCKen (or @karolinelien & @stian-sandvold while David is on leave). Also: @netroms

Meanwhile, @Birkbjo, do you think it is reasonable to merge this change in the frontend as well?

@stian-sandvold
Copy link

@Birkbjo I agree about backend support also. If the frontend is bypassed, and for preexisting SQL Views, the backend shouldn't cache the results when a SQL View specifies the current user. This could be done in either of two ways, whichever seems more reasonable to code:

  1. Force caching off when saving a the SQL view containing one of these constructs, and patch any such preexisting SQL Views, or
  2. Force a result not to be cached when executing a SQL View with one of these constructs

Note: @DavidCKen (or @karolinelien & @stian-sandvold while David is on leave). Also: @netroms

Meanwhile, @Birkbjo, do you think it is reasonable to merge this change in the frontend as well?

I never worked on the SQL views code myself, but @jimgrace do you know if there is any use-cases we support today that prevents caching the views? Also, is this a task you would be able to create a solution for @jimgrace?

@Birkbjo
Copy link
Member

Birkbjo commented Sep 10, 2024

Meanwhile, @Birkbjo, do you think it is reasonable to merge this change in the frontend as well?

Yeah I think it makes sense. Sorry I should've been more clear that we can merge this - but I just wanted to mention that we shouldn't only do it on the client if it's indeed a security problem.

@benguaraldi
Copy link
Contributor Author

@Birkbjo Let me know if you need anything from me before we approve and merge. Thanks!

@benguaraldi
Copy link
Contributor Author

@Birkbjo, could you merge this PR? Or could someone else? I'm not allowed to.

Thanks!

@Birkbjo
Copy link
Member

Birkbjo commented Sep 30, 2024

@benguaraldi , it's failing due to a deprecated dependency during build. Will look into fixing it, then merging this.

@Birkbjo Birkbjo force-pushed the DHIS2-9300/sql-view-current-id branch from 3a8219b to 95d7b2b Compare September 30, 2024 13:55
@Birkbjo Birkbjo merged commit 5eb5026 into master Sep 30, 2024
6 checks passed
@Birkbjo Birkbjo deleted the DHIS2-9300/sql-view-current-id branch September 30, 2024 14:02
@benguaraldi
Copy link
Contributor Author

Thank you so much, @Birkbjo!

dhis2-bot added a commit that referenced this pull request Sep 30, 2024
@dhis2-bot
chore(release): cut 32.31.11 [skip ci]
2ae8fe9 
## [32.31.11](v32.31.10...v32.31.11) (2024-09-30)

### Bug Fixes

* **sqlview:** when current user in SQL view, do not cache ([#2911](#2911)) ([5eb5026](5eb5026))
@dhis2-bot
Copy link
Contributor

🎉 This PR is included in version 32.31.11 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Birkbjo Birkbjo Birkbjo approved these changes

@tomzemp tomzemp Awaiting requested review from tomzemp

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@benguaraldi @Birkbjo @jimgrace @stian-sandvold @dhis2-bot