Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A Member's GridField and a delete button will make a lot of duplicate queries #11589

Open
2 tasks done
lekoala opened this issue Jan 31, 2025 · 3 comments
Open
2 tasks done

A Member's GridField and a delete button will make a lot of duplicate queries #11589

lekoala opened this issue Jan 31, 2025 · 3 comments
Labels
affects/v5 affects/v6 type/enhancement

Comments

@lekoala
Copy link
Contributor

lekoala commented Jan 31, 2025

Module version(s) affected

5.x

Description

I just noticed a lot of duplicate queries on a Member's GridField. This is due to the canDelete checks being made that will always check to see if a non admin member can delete an admin

silverstripe-framework/src/Security/Member.php

Lines 1559 to 1566 in e7cccf6

// HACK: if you want to delete a member, you have to be a member yourself.
// this is a hack because what this should do is to stop a user
// deleting a member who has more privileges (e.g. a non-Admin deleting an Admin)
if (Permission::checkMember($this, 'ADMIN')) {
if (!Permission::checkMember($member, 'ADMIN')) {
return false;
}
}

note that the comment is not accurate, because that's in fact what its doing : checking if a non admin tries to delete an admin

This is the current situation. 68 queries + a lot of duplicate Permission::groupList calls.

Image

this can be mitigated easily by checking before hand if the user is an admin. if so, the hack is not necessary. This reduces the number of queries to 17

Image

This is not super slow as such (reducing queries from 68 to 17 is great, but it doesn't result in a huge speedup) so this seems low priority.

How to reproduce

  • Have a GridField with a Member's DataList
  • Check queries being made due to canDelete checks if you have a GridFieldDeleteAction

Possible Solution

  • Disabling the hack for admins helps, to a certain degree. It doesn't help for regular users
  • I'm not sure the hack belongs there in the first place. It could be removed entirely. Security checks like this could be enforced at orm level in onBeforeDelete that can throw an exception
  • Better caching could also mitigate the issue. Currently, the Permission::groupList is called multiple times. Improving this would limit the extra costs of checking each user permissions.

Additional Context

No response

Validations

  • Check that there isn't already an issue that reports the same bug
  • Double check that your reproduction steps work in a fresh installation of silverstripe/installer (with any code examples you've provided)
@lekoala
Copy link
Contributor Author

lekoala commented Jan 31, 2025

Note for others: removing the GridFieldDeleteAction works well in th meantime
I'm not sure it makes a lot of sense anyway to delete things like a Member record from a GridField list

Simply add this:

            $config = $config->removeComponentsByType(GridFieldDeleteAction::class);

@GuySartorelli
Copy link
Member

GuySartorelli commented Feb 2, 2025
edited
Loading

Note that while this isn't optimal behaviour, it's also not really a bug. Just sub-optimal code that can be improved.

@lekoala
Copy link
Contributor Author

lekoala commented Feb 3, 2025

Note that while this isn't optimal behaviour, it's also not really a bug. Just sub-optimal code that can be improved.

yes, i fully agree

and it only happens when you have a GridFieldDeleteAction (or any piece of code that calls canDelete)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects/v5 affects/v6 type/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lekoala @GuySartorelli