Mercurial > p > roundup > code
changeset 8136:5a2b9435a04d permission-performance
Make permission filter functions configurable
For debugging and performance measurements it makes sense to allow
turning permission filter functions off.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Wed, 23 Oct 2024 17:46:05 +0200 |
| parents | aa5ae3f84889 |
| children | de58ff07890e |
| files | roundup/configuration.py roundup/hyperdb.py test/db_test_base.py |
| diffstat | 3 files changed, 31 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/roundup/configuration.py Wed Oct 23 16:29:43 2024 +0200 +++ b/roundup/configuration.py Wed Oct 23 17:46:05 2024 +0200 @@ -1462,6 +1462,17 @@ ("rdbms", ( (DatabaseBackend, 'backend', NODEFAULT, "Database backend."), + (BooleanOption, "debug_filter", "no", + "Filter debugging: Permissions can define additional filter\n" + "functions that are used when checking permissions on results\n" + "returned by the database. This is done to improve\n" + "performance since the filtering is done in the database\n" + "backend, not in python (at least for the SQL backends). The\n" + "user is responsible for making the filter return the same\n" + "set of results as the check function for a permission. So it\n" + "makes sense to aid in debugging (and performance\n" + "measurements) to allow turning off the usage of filter\n" + "functions using only the check functions."), (Option, 'name', 'roundup', "Name of the database to use. For Postgresql, this can\n" "be database.schema to use a specific schema within\n" @@ -1545,8 +1556,8 @@ "Set the database cursor for filter queries to serverside\n" "cursor, this avoids caching large amounts of data in the\n" "client. This option only applies for the postgresql backend."), - ), "Settings in this section (except for backend) are used\n" - " by RDBMS backends only.", + ), "Most settings in this section (except for backend and debug_filter)\n" + "are used by RDBMS backends only.", ), ("sessiondb", ( (SessiondbBackendOption, "backend", "",
--- a/roundup/hyperdb.py Wed Oct 23 16:29:43 2024 +0200 +++ b/roundup/hyperdb.py Wed Oct 23 17:46:05 2024 +0200 @@ -1820,11 +1820,12 @@ if check(permission, userid, cn, only_no_check = True): allowed = item_ids else: + debug = self.db.config.RDBMS_DEBUG_FILTER # Note that is_filterable returns True if no permissions are # found. This makes it fail early (with an empty allowed list) # instead of running through all ids with an empty # permission list. - if sec.is_filterable(permission, userid, cn): + if not debug and sec.is_filterable(permission, userid, cn): new_ids = set(item_ids) confirmed = set() for perm in sec.filter_iter(permission, userid, cn):
--- a/test/db_test_base.py Wed Oct 23 16:29:43 2024 +0200 +++ b/test/db_test_base.py Wed Oct 23 17:46:05 2024 +0200 @@ -3033,6 +3033,22 @@ # User may see own and public queries self.assertEqual(r, ['5', '6', '4', '3', '2', '1']) + def testFilteringWithPermissionFilterFunctionOff(self): + view_query = self.setupQuery() + + def filter(db, userid, klass): + return [dict(filterspec = dict(private_for=['-1', userid]))] + perm = self.db.security.addPermission + p = perm(name='View', klass='query', check=view_query, filter=filter) + self.db.security.addPermissionToRole("User", p) + # Turn filtering off + self.db.config.RDBMS_DEBUG_FILTER = True + filt = self.db.query.filter_with_permissions + + r = filt(None, {}, sort=[('+', 'name')]) + # User may see own and public queries + self.assertEqual(r, ['5', '6', '4', '3', '2', '1']) + # XXX add sorting tests for other types # nuke and re-create db for restore