fix: with LDAP backend, edition the admin group would fail

The `match_filter` method evaluate filters, and queries objects from their ids. The value was stored in the `filter` arg, but being a dict it was re-used during the following calls of `match_filter`. After editing the `admin` group (by adding or removing an user), a new page is displayed, and as always it checks the user permissions. The user permission check would call `match_filter` then compare an updated version of the admin group (with one less or one new user) with an unfortunate *cached* version in the `match_filter` `filter` arg. With the SQL or the memory backend the comparision would be successful, but it is not with the LDAP backend. This resulted in permission loss for users after editing the `admin` group. Being a method default value edited, it would remain until the Canaille service was reloaded. Related to https://stackoverflow.com/questions/1132941/least-astonishment-and-the-mutable-default-argument
yaal-coop · Nov 6, 2024 · 6a6350e · 6a6350e
1 parent fe8e116
commit 6a6350e
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/canaille/backends/models.py b/canaille/backends/models.py
@@ -123,6 +123,7 @@ def match_filter(self, filter):
             return any(self.match_filter(subfilter) for subfilter in filter)
 
         # If attribute are models, resolve the instance
+        filter = filter.copy()
         for attribute, value in filter.items():
             model, _ = self.get_model_annotations(attribute)