Project

General

Profile

Actions
Copy link

Bug #39394

open

Non-admin users listing resources get 500: missing FROM-clause entry for table taxonomies

Added by Pablo Méndez Hernández 14 days ago. Updated 14 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Problem

Non-admin users with an organization but no location (or vice versa) get a 500 error when listing resources that go through the Authorizer. Confirmed on GET /api/users and GET /users.

PG::UndefinedTable: ERROR:  missing FROM-clause entry for table "taxonomies" 
LINE 5:  WHERE "taxonomies"."id" IN (1) )) AND ("taxonomies"."id" ...

Admin users are unaffected (they bypass taxonomy scoping). Non-admin users with both org and location assigned work fine.

Root cause

Commit 8712376901 ("Fixes #39209 - Drop superfluous includes") strips :organizations and :locations from the eager_load includes in Authorizer#build_filtered_scope_components:

# Before
result[:includes].push(*find_options[:include])

# After
includes = Array.wrap(find_options[:include]) - [:organizations, :locations]
result[:includes].push(*includes)

The scoped search conditions still generate WHERE "taxonomies"."id" IN (...) from Filter#taxonomy_search_condition_for_user, which requires the taxonomies table to be JOINed. Without the includes, the table is missing from the FROM clause.

The bug only manifests when the user has an asymmetric taxonomy assignment (org without location or location without org), because that produces a taxonomy search condition that references the taxonomies table for only one dimension.

Reproducer

# Create a non-admin user with Viewer role and an org but NO location
hammer user create --login testuser --password changeme \
  --mail test@example.com --auth-source-id 1 \
  --organizations "Default Organization" \
  --roles "Viewer" 

# This returns 500
curl -sku testuser:changeme https://$(hostname)/api/users?per_page=all

# Adding a location fixes it
hammer user update --login testuser --locations "Default Location" 
curl -sku testuser:changeme https://$(hostname)/api/users?per_page=all
# Returns 200

# Removing the location again reproduces it
hammer user update --login testuser --locations "" 
curl -sku testuser:changeme https://$(hostname)/api/users?per_page=all
# Returns 500 again

Why existing tests do not catch it

The test "user with viewer rights should succeed in viewing users" (test/controllers/api/v2/users_controller_test.rb:185) uses fixture user one which has no organization or location assignments. Without any taxonomy assignments, the scoping code does not generate the broken WHERE clause. A user with both org and location also works — only the asymmetric case (one without the other) triggers the bug.

Environment

  • Foreman develop (5.0.0-0.1.develop.20260527)
  • Rails 7.0.10
  • PostgreSQL
Actions
Copy link
 #1

Updated by Pablo Méndez Hernández 14 days ago

  • Description updated (diff)
Actions
Copy link

Also available in: Atom PDF