[PR #1179] [CLOSED] fix: filter build update logs by user resource permissions #10480

New Issue

Closed

opened 2026-05-08 16:07:00 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-08 16:07:00 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/moghtech/komodo/pull/1179
Author: @litlmike
Created: 2/8/2026
Status: ❌ Closed

Base: main ← Head: fix-issue-1011

---

📝 Commits (1)

• 6fc412d fix: filter build update logs by user resource permissions

📊 Changes

1 file changed (+13 additions, -4 deletions)

View changed files

📝 bin/core/src/api/read/update.rs (+13 -4)

📄 Description

Problem

Non-admin users see Run Build update logs from other deployments in the Updates window (issue #1011).

Root Cause

In ListUpdates, when a non-admin user's query contains a $or filter (e.g., when viewing a deployment page that shows associated build updates), the permission filter's $or overwrites the user's $or via Document::extend(). This causes the user's resource-specific filter to be lost, showing all updates the user has permission on rather than the filtered subset.

For example, when viewing a deployment page:

1. Frontend sends { $or: [deployment_filter, build_filter] }
2. Backend calls query.extend(doc! { $or: [permission_filters] })
3. The permission $or replaces the user's $or
4. User sees all permitted updates instead of just that deployment's updates

Fix

Use $and to combine the user query with the permission filter, preserving both constraints:

• The user's filter (which resource to show)
• The permission filter (which resources the user can access)

Fixes #1011

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/moghtech/komodo/pull/1179 **Author:** [@litlmike](https://github.com/litlmike) **Created:** 2/8/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix-issue-1011` --- ### 📝 Commits (1) - [`6fc412d`](https://github.com/moghtech/komodo/commit/6fc412d3ddfb0942008216a0ba5f1cb1dbba19cb) fix: filter build update logs by user resource permissions ### 📊 Changes **1 file changed** (+13 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `bin/core/src/api/read/update.rs` (+13 -4) </details> ### 📄 Description ## Problem Non-admin users see Run Build update logs from other deployments in the Updates window (issue #1011). ## Root Cause In `ListUpdates`, when a non-admin user's query contains a `$or` filter (e.g., when viewing a deployment page that shows associated build updates), the permission filter's `$or` overwrites the user's `$or` via `Document::extend()`. This causes the user's resource-specific filter to be lost, showing all updates the user has permission on rather than the filtered subset. For example, when viewing a deployment page: 1. Frontend sends `{ $or: [deployment_filter, build_filter] }` 2. Backend calls `query.extend(doc! { $or: [permission_filters] })` 3. The permission `$or` **replaces** the user's `$or` 4. User sees all permitted updates instead of just that deployment's updates ## Fix Use `$and` to combine the user query with the permission filter, preserving both constraints: - The user's filter (which resource to show) - The permission filter (which resources the user can access) Fixes #1011 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-05-08 16:07:00 -05:00

GiteaMirror closed this issue 2026-05-08 16:07:01 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

gh-pages-docs

legacy-v1-frontend

copilot/secure-local-authentication

v0

legacy

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.0

v2.0.0-dev-124

v2.0.0-dev-123

v2.0.0-dev-120

v2.0.0-dev-118

v2.0.0-dev-114

v2.0.0-dev-112

v2.0.0-dev-111

v2.0.0-dev-102

v2.0.0-dev-98

v2.0.0-dev-90

v2.0.0-dev-86

v2.0.0-dev-72

v2.0.0-dev-59

v2.0.0-dev-53

v2.0.0-dev-50

v2.0.0-dev-36

v1.19.5

v2.0.0-dev-35

v1.19.4

v1.19.3

v1.19.2

v1.19.1

v1.19.1-dev-14

v1.19.0

v1.19.0-dev-9

v1.18.4

1.18.5-dev-5

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.5

v1.17.4

v1.17.3

v1.17.4-dev-1

v1.17.2

v1.17.2-dev-1

v1.17.1

v1.17.0

v1.17.0-dev-7

v1.17.0-dev-4

v1.17.0-dev-3

v1.17.0-dev-5

v1.17.0-dev-6

v1.17.0-dev-2

v1.17.0-dev-1

v1.16.12

v1.16.11

v1.16.10

v1.16.9

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.12

v1.15.11

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.14.0-rc1

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.3

v1.7.0

v1.6.0

v1.5.0

v1.4.0

v1.2.0

v1.1.0

v1.0.0

v0.3.4

v0.3.3

v0.3.2

v0.3.0

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.1

v0.2.0

v0.1.17

v0.1.16

v0.1.15

v0.1.11

v0.1.10

v0.1.9

Labels

Clear labels

1.19.0

1.19.1

1.19.2

1.19.3

1.19.4

2.0.0

bug

documentation

done

enhancement

help wanted

info

pull-request

Mirrored from GitHub Pull Request

question

security

seen 👀

setup

thinking 🤔

ui

v2

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/komodo#10480