Skip to content

investigation of unauthorized (public) queries (get_objects_for_user)

It's been established here: #249 (comment 689232) that unauthorized queries. Context: there's one call coming from django-guardian called get_objects_for_user that takes in a user, a permission (like "view log"), and a list of objects, and it returns a subset of those objects that a user can actually see. Please see this ticket: #289

I'm going to document the process for making this call faster. I think it's going to be two steps:

  1. Mitigation- reducing the number of objects that this function has to filter. Also see the above ticket.
  2. Optimization- we very well might be calling this function sub-optimally. So after the first step, see what we might be doing wrong.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information