Admin accountabilty : space admins from other organizations are listed due to a too large capturing regex #383
Description
Describe the bug
We have a multitenant system and when viewing the space admins of an organization in the admin accountabilty module, some space admins of other organizations may be listed.
I identified a too large capturing regex in scope :space_role_actions of PaperTrailVersion class that causes a selection of users whom IDs are not in the previously set relevant_user_ids array.
Given the following query :
irb(main):030:0> role_changes.where("object_changes ~ ANY (array[?])", relevant_user_ids.map { |id| "decidim_user_id:\n- ?\n- #{id}" })
PaperTrail::Version Load (7.1ms) SELECT "versions".* FROM "versions" WHERE "versions"."item_type" IN ($1, $2) AND "versions"."event" = $3 AND (object_changes ~ ANY (array['decidim_user_id:
- ?
- 8','decidim_user_id:
- ?
- 7','decidim_user_id:
- ?
- 6'])) [["item_type", "Decidim::AssemblyUserRole"], ["item_type", "Decidim:ParticipatoryProcessUserRole"], ["event", "create"]]
The following result contains a last entry that is related to the user ID 812, which is not in the [8,7,6] array :
[#<PaperTrail::Version:0x00005612a41d4db0
id: 483,
item_type: "Decidim:ParticipatoryProcessUserRole",
item_id: 1,
event: "create",
whodunnit: "gid://decidim-app/Decidim::User/7",
object: nil,
created_at: Fri, 15 Oct 2021 15:02:[45.506440000](callto:45.506440000) UTC +00:00,
object_changes: "---\nid:\n- \n- 1\ndecidim_user_id:\n- \n- 7\ndecidim_participatory_process_id:\n- \n- 4\nrole:\n- \n- admin\ncreated_at:\n- \n- &[1 2021-10-15 15](callto:1 2021-10-15 15):02:[45.506440263](callto:45.506440263) Z\nupdated_at:\n- \n- *1\n">,
#<PaperTrail::Version:0x00005612a41d4ce8
id: 747,
item_type: "Decidim:ParticipatoryProcessUserRole",
item_id: 2,
event: "create",
whodunnit: "gid://decidim-app/Decidim::User/6",
object: nil,
created_at: Fri, 03 Dec 2021 15:17:[25.062866000](callto:25.062866000) UTC +00:00,
object_changes: "---\nid:\n- \n- 2\ndecidim_user_id:\n- \n- 6\ndecidim_participatory_process_id:\n- \n- 4\nrole:\n- \n- admin\ncreated_at:\n- \n- &[1 2021-12-03 15](callto:1 2021-12-03 15):17:[25.062866263](callto:25.062866263) Z\nupdated_at:\n- \n- *1\n">,
#<PaperTrail::Version:0x00005612a41d4c20
id: 748,
item_type: "Decidim:ParticipatoryProcessUserRole",
item_id: 3,
event: "create",
whodunnit: "gid://decidim-app/Decidim::User/6",
object: nil,
created_at: Fri, 03 Dec 2021 15:18:[33.558780000](callto:33.558780000) UTC +00:00,
object_changes: "---\nid:\n- \n- 3\ndecidim_user_id:\n- \n- 6\ndecidim_participatory_process_id:\n- \n- 5\nrole:\n- \n- admin\ncreated_at:\n- \n- &[1 2021-12-03 15](callto:1 2021-12-03 15):18:[33.558780877](callto:33.558780877) Z\nupdated_at:\n- \n- *1\n">,
#<PaperTrail::Version:0x00005612a41d4b58
id: 749,
item_type: "Decidim:ParticipatoryProcessUserRole",
item_id: 4,
event: "create",
whodunnit: "gid://decidim-app/Decidim::User/6",
object: nil,
created_at: Fri, 03 Dec 2021 15:19:[02.338031000](callto:02.338031000) UTC +00:00,
object_changes: "---\nid:\n- \n- 4\ndecidim_user_id:\n- \n- 6\ndecidim_participatory_process_id:\n- \n- 3\nrole:\n- \n- admin\ncreated_at:\n- \n- &[1 2021-12-03 15](callto:1 2021-12-03 15):19:[02.338031754](callto:02.338031754) Z\nupdated_at:\n- \n- *1\n">,
#<PaperTrail::Version:0x00005612a41d4a90
id: 759,
item_type: "Decidim:ParticipatoryProcessUserRole",
item_id: 5,
event: "create",
whodunnit: "gid://decidim-app/Decidim::User/8",
object: nil,
created_at: Sun, 05 Dec 2021 14:20:[03.599535000](callto:03.599535000) UTC +00:00,
object_changes: "---\nid:\n- \n- 5\ndecidim_user_id:\n- \n- 8\ndecidim_participatory_process_id:\n- \n- 3\nrole:\n- \n- moderator\ncreated_at:\n- \n- &[1 2021-12-05 14](callto:1 2021-12-05 14):20:[03.599535221](callto:03.599535221) Z\nupdated_at:\n- \n- *1\n">,
#<PaperTrail::Version:0x00005612a41d49c8
id: 8071,
item_type: "Decidim:ParticipatoryProcessUserRole",
item_id: 6,
event: "create",
whodunnit: "gid://decidim-app/Decidim::User/812",
object: nil,
created_at: Tue, 04 Jul 2023 16:13:[26.963716000](callto:26.963716000) UTC +00:00,
object_changes: "---\nid:\n- \n- 6\ndecidim_user_id:\n- \n- 812\ndecidim_participatory_process_id:\n- \n- 35\nrole:\n- \n- admin\ncreated_at:\n- \n- &[1 2023-07-04 16](callto:1 2023-07-04 16):13:[26.963716671](callto:26.963716671) Z\nupdated_at:\n- \n- *1\n">]
It seems that this entry related to user ID 812 is returned because "8" is the first digit of "812" and the regex doesn't strictly match the correct user ID 8.
TBH I asked ChatGPT for a fix and it has suggested me the following regex :
role_changes.where("object_changes ~ ANY (array[?])", relevant_user_ids.map { |id| "decidim_user_id:\n- ?\n- #{id}(?!\\d)" })
I may provide a PR with it, starting with the release/0.27-stable branch which is the one I use and it's still maintained.
To Reproduce
Steps to reproduce the behavior:
- Have 2 space admins in 2 different organizations. The second space admin must have an ID that starts with the user ID of the first space admin
- Go to the admin accountability of the first space admin organization
- See that the second space admin is also listed
Expected behavior
The admin accountability module must only list space admins of the current organization
Screenshots
None.