fix(dal,sdf): when finding change sets, ensure it belongs to the relevant workspace #5245
Conversation
Dependency Review✅ No vulnerabilities or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files |
| @@ -87,7 +87,7 @@ impl SnapshotGraphMigrator { | |||
| info!("Migrating {} snapshot(s)", open_change_sets.len(),); | |||
|
|
|||
| for change_set in open_change_sets { | |||
| let mut change_set = ChangeSet::find(ctx, change_set.id) | |||
| let mut change_set = ChangeSet::find_across_workspaces(ctx, change_set.id) | |||
There was a problem hiding this comment.
I believe this is correct - @zacharyhamm could use a check
There was a problem hiding this comment.
It's hard to imagine this isn't correct, given the fact that these change set IDs came from list_open_for_all_workspaces()!. (Again, it at least doesn't make things worse.)
There was a problem hiding this comment.
this is what we want, yes. The migrator will set up the dal context for the right visibility and tenancy but only after it finds the workspace, so this is definitely necessary
britmyerss
force-pushed
the
brit/ensure-change-sets-belong-to-workspaces
branch
2 times, most recently
from
425cd9c to
a5c49bb
Compare
|
/try |
|
Okay, starting a try! I'll update this comment once it's running...\n |
britmyerss
force-pushed
the
brit/ensure-change-sets-belong-to-workspaces
branch
2 times, most recently
from
bded452 to
f7f8e33
Compare
| pub async fn update_snapshot_to_visibility(&mut self) -> TransactionsResult<()> { | ||
| let change_set = ChangeSet::find(self, self.change_set_id()) | ||
| let change_set = ChangeSet::find_across_workspaces(self, self.change_set_id()) |
There was a problem hiding this comment.
Could do a similar move here to have a tenancy-scoped version of this method, but not in this PR. Note that scoping this to the workspace breaks all of our integration tests at the moment.
| .expect("could not build dal context"); | ||
|
|
||
| //first, let's ensure we can't find it when using the user 1 dal ctx | ||
| let user_2_change_set_unfound = ChangeSet::find(&user_1_dal_context, user_2_change_set.id) |
There was a problem hiding this comment.
before this change, we would User-1-Workspace-1 would successfully find (and be able to abandon) the change set in User-2's Workspace.
lib/dal/src/change_set.rs
Outdated
| @@ -698,7 +739,7 @@ impl ChangeSet { | |||
| #[instrument(level = "info", skip_all)] | |||
| pub async fn apply_to_base_change_set(ctx: &mut DalContext) -> ChangeSetApplyResult<ChangeSet> { | |||
| // Apply to the base change with the current change set (non-editing) and commit. | |||
| let mut change_set_to_be_applied = Self::find(ctx, ctx.change_set_id()) | |||
| let mut change_set_to_be_applied = Self::find_across_workspaces(ctx, ctx.change_set_id()) | |||
There was a problem hiding this comment.
This one might be able to be ChangeSet::find() (it seems like if we really need find_across_workspaces than we have been given a busted DalContext). But if you're worried about it or noticed it breaks things, I'm 100% on board with "fix most stuff and then look at these in another PR").
There was a problem hiding this comment.
yeah I think you're right! Will fix
| @@ -87,7 +87,7 @@ impl SnapshotGraphMigrator { | |||
| info!("Migrating {} snapshot(s)", open_change_sets.len(),); | |||
|
|
|||
| for change_set in open_change_sets { | |||
| let mut change_set = ChangeSet::find(ctx, change_set.id) | |||
| let mut change_set = ChangeSet::find_across_workspaces(ctx, change_set.id) | |||
There was a problem hiding this comment.
It's hard to imagine this isn't correct, given the fact that these change set IDs came from list_open_for_all_workspaces()!. (Again, it at least doesn't make things worse.)
britmyerss
force-pushed
the
brit/ensure-change-sets-belong-to-workspaces
branch
from
f7f8e33 to
2603a0a
Compare
|
/try |
|
Okay, starting a try! I'll update this comment once it's running...\n |
lib/dal/src/change_set.rs
Outdated
| } | ||
| Ok(Some(change_set)) | ||
| } | ||
| None => Ok(None), |
There was a problem hiding this comment.
If we emitted an info or error here, we could track any time this returns None. Which should be almost never, except maybe stale URLs in cache for applied/abandoned change sets
There was a problem hiding this comment.
(or set an attribute, whichever makes the most sense for a honeycomb query)
There was a problem hiding this comment.
good shout - will add!
britmyerss
force-pushed
the
brit/ensure-change-sets-belong-to-workspaces
branch
from
2603a0a to
8e15c47
Compare
This change introduces
ChangeSet::find_across_workspacesto differentiate fromChangeSet::findto ensure we're not acting on ChangeSets that don't belong to the Workspace in question.via The Tonight Show Starring Jimmy Fallon on GIPHY