Provide join lock down (#2211)

kwk · web-flow · commit 2661cf80beff · 2018-08-07T15:40:55.000+02:00
This includes an extra-condition in the `ON` part of the table `JOINS` for areas, codebases and iterations to only join those tables filtered by their space ID. I'm not sure though if this really fixes the problem (see #2210 (comment)). ## TODO As of yesterday's (07.08.2018) discussion with @aslakknutsen we did experiments and found that in order to keep the rows in the search small, we have to establish a condition on the final SQL `WHERE` clause that limits the selection to work items from a particular space. At the moment, the current `/api/search` endpoint is so generic that it doesn't require a limitation by space on the root of the `WHERE` clause. That's why @aslakknutsen and I agreed to create a search endpoint under `/api/spaces/<SPACE-UUID>/search` in order to automatically add the space ID to the query condition. This will be implemented in another PR and is tracked in openshiftio/openshift.io#4124 See #2210.
diff --git a/workitem/expression_compiler.go b/workitem/expression_compiler.go
@@ -125,21 +125,21 @@ var DefaultTableJoins = func() TableJoinMap {
 		"iteration": {
 			TableName:        "iterations",
 			TableAlias:       "iter",
-			On:               JoinOnJSONField(SystemIteration, "iter.id"),
+			On:               JoinOnJSONField(SystemIteration, "iter.id") + " AND " + Column("iter", "space_id") + "=" + Column(WorkItemStorage{}.TableName(), "space_id"),
 			PrefixActivators: []string{"iteration."},
 			AllowedColumns:   []string{"name", "created_at"},
 		},
 		"area": {
 			TableName:        "areas",
 			TableAlias:       "ar",
-			On:               JoinOnJSONField(SystemArea, "ar.id"),
+			On:               JoinOnJSONField(SystemArea, "ar.id") + " AND " + Column("ar", "space_id") + "=" + Column(WorkItemStorage{}.TableName(), "space_id"),
 			PrefixActivators: []string{"area."},
 			AllowedColumns:   []string{"name"},
 		},
 		"codebase": {
 			TableName:        "codebases",
 			TableAlias:       "cb",
-			On:               JoinOnJSONField(SystemCodebase, "cb.id"),
+			On:               JoinOnJSONField(SystemCodebase, "cb.id") + " AND " + Column("cb", "space_id") + "=" + Column(WorkItemStorage{}.TableName(), "space_id"),
 			PrefixActivators: []string{"codebase."},
 			AllowedColumns:   []string{"url"},
 		},
