User cannot list groups despite having access to subgroups #3053
Description
We have a group hierarchy like:
g1
└── g2
└── g3
└── g4
└── g5
└── g6
A role named subgroup_reader was created in g3 with the action subgroup_read.
user3 was added as a member of this role.
Expected behavior
When user3 calls the list groups endpoint (e.g., GET /groups), it should return subgroups g4, g5, and g6, as user3 has access via the subgroup_reader role in g3.
Actual behavior
The list groups endpoint returns no results for user3.
However, if directly querying access (e.g., GET /groups/g4), user3 is allowed to view g4, g5, and g6.
To Reproduce
- Create groups: g1 → g6 as a parent-child chain.
- In
g3, create rolesubgroup_reader. - Assign action
subgroup_readto that role. - Add
user3to the role ing3. - Call
GET /groupsasuser3.
**Solution: **
In All list query
we need to replace direct_groups_with_subgroup with below and additoal CTE is added in below query direct_leaf_groups_with_subgroup to remove parent nodes
direct_groups_with_subgroup AS (
SELECT
g.*,
gr.entity_id AS entity_id,
grm.member_id AS member_id,
gr.id AS role_id,
gr."name" AS role_name,
array_agg(DISTINCT all_actions."action") AS actions,
g.path AS g_path,
nlevel(g.path) AS g_nlevel
FROM
groups_role_members grm
JOIN
groups_role_actions gra ON gra.role_id = grm.role_id
JOIN
groups_roles gr ON gr.id = grm.role_id
JOIN
"groups" g ON g.id = gr.entity_id
JOIN
groups_role_actions all_actions ON all_actions.role_id = grm.role_id
WHERE
grm.member_id = '%s'
AND g.domain_id ='%s'
AND gra."action" LIKE 'subgroup_%'
GROUP BY
gr.entity_id, grm.member_id, gr.id, gr."name", g."path", g.id
),
direct_leaf_groups_with_subgroup AS (
SELECT dgws.*
FROM direct_groups_with_subgroup dgws
WHERE NOT EXISTS (
SELECT 1
FROM direct_groups_with_subgroup dgws2
WHERE
dgws2.path @> dgws.path
AND dgws2.id != dgws.id
)
),This bug was introduced as a side effect of PR #2976, which was intended to fix issue #2865.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status