From 6a6350e368c5b1e6badd5f2bddb3b536a8cd0b5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89loi=20Rivard?= Date: Wed, 6 Nov 2024 15:00:54 +0100 Subject: [PATCH] fix: with LDAP backend, edition the admin group would fail The `match_filter` method evaluate filters, and queries objects from their ids. The value was stored in the `filter` arg, but being a dict it was re-used during the following calls of `match_filter`. After editing the `admin` group (by adding or removing an user), a new page is displayed, and as always it checks the user permissions. The user permission check would call `match_filter` then compare an updated version of the admin group (with one less or one new user) with an unfortunate *cached* version in the `match_filter` `filter` arg. With the SQL or the memory backend the comparision would be successful, but it is not with the LDAP backend. This resulted in permission loss for users after editing the `admin` group. Being a method default value edited, it would remain until the Canaille service was reloaded. Related to https://stackoverflow.com/questions/1132941/least-astonishment-and-the-mutable-default-argument --- canaille/backends/models.py | 1 + 1 file changed, 1 insertion(+) diff --git a/canaille/backends/models.py b/canaille/backends/models.py index 1874ba91..fc2889dc 100644 --- a/canaille/backends/models.py +++ b/canaille/backends/models.py @@ -123,6 +123,7 @@ def match_filter(self, filter): return any(self.match_filter(subfilter) for subfilter in filter) # If attribute are models, resolve the instance + filter = filter.copy() for attribute, value in filter.items(): model, _ = self.get_model_annotations(attribute)