KrishnaIyer
commented
1 year ago I don't understand the requirement. Why should non admins be able to list deleted entities? Admins need this to purge IDs.
Closed nicholaspcr closed 1 year ago
KrishnaIyer
commented
1 year ago I don't understand the requirement. Why should non admins be able to list deleted entities? Admins need this to purge IDs.
nicholaspcr
commented
1 year ago Maybe from me trying to fit in both list and search under the same behavior, it causes the confusion.
list fails even for admin users, the reason for that is trying to find the user as a deleted account due to the injection on DeletedOptions in the context.search only works for admins because fetching the memberships are skipped by setting member to nil in the search related methods (ref)error:pkg/identityserver/store:account_not_found (user account with id `admin` not found)
account_type=user
account_id=admin
correlation_id=8ca168ed8379438cbe6066d5cbcbe6dc
exit status 255In addition of that I would argue that an user being able to see a list of its own deleted entities isn't problematic, one could even check before asking an admin to restore the entity. What you think @KrishnaIyer ?
KrishnaIyer
commented
1 year ago Before getting into the details of implementation, let's first discuss what we're trying to achieve.
In addition of that I would argue that an user being able to see a list of its own deleted entities isn't problematic, one could even check before asking an admin to restore the entity
Is this a customer requirement? What is the basis for this? I think that the current flow of only allowing admins to list purged entities works well. Users will get an ID taken or similar warning and then they can request an admin to purge.
nicholaspcr
commented
1 year ago A bit late on the reply here, the example that I gave is not a customer requirement. It was merely an example of something possible in a smaller scale where an user can contact an admin from outside of the stack, providing a bit more specific information. Please disregard as it is not intended as a suggestion for this issue.
The main point here is the following the API does already allow non admin users to list/search for deleted entities (with the exception of other users), while is not present on the Console the API does allow it. In addition to this statement the ability of performing both operations via the CLI returns an inappropriate error message instead of the expected result.
This is not a big change but merely a bug fix which involves in removing the DeletedOptions from the fetch account operation done on membership methods. In a bit I'll link a draft PR with the changes so its easier to have this discussion
Summary
While looking into https://github.com/TheThingsIndustries/lorawan-stack-docs/issues/1165#issuecomment-1726416533 I noticed that when attempting to fetch deleted entities we are firstly trying to fetch accounts which trigger the
_isSoftDeleteconditional in theapplyContextexecuted in most queries in the store pkg. SinceDeletedOptionsisdetermined in the registry level and that propagates to the membership section of the store pkg, it means that we are trying to find an deleted account by passing a valid user.Steps to Reproduce
List an entity:
ttn-lw-cli app list --deletedaccount_not_founderror.Search for an entity:
ttn-lw-cli app search --deletedaccount_not_founderror.Current Result
We always attempt to search for an account with
deleted_at IS NOT NULLbut that is not the desired behaviorExpected Result
Get a valid user and then search for deleted entities/memberships.
Relevant Logs
No response
URL
No response
Deployment
The Things Stack Enterprise (self-hosted)
The Things Stack Version
3.27.2-dev
Client Name and Version
Other Information
No response
Proposed Fix
membership_store.goto only search for non deleted users, overwriting theDeletedOptionson only the calls forgetAccountModel.Contributing
Code of Conduct