Skip to content

Update users endpoint with subquery filtering #10306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 12 commits into
base: 1.7.x
Choose a base branch
from
Draft

Update users endpoint with subquery filtering #10306

wants to merge 12 commits into from
+384 −1

Conversation

abnegate
Copy link
Member

What does this PR do?

This PR enables the use of Query::select for the users list endpoint (/v1/users), allowing users to specify which attributes they want to retrieve.

It introduces a new Select validator to src/Appwrite/Utopia/Database/Validator/Queries/Base.php to validate select queries. Additionally, it adds logic to app/controllers/api/users.php to specifically handle attributes that correspond to subQueryX filters (e.g., sessions, tokens). If such an attribute is requested via select, it is removed from the select query and its corresponding subQueryX filter (e.g., subQuerySessions) is added to the skipFilters array. This ensures that complex related data is handled correctly by the database layer, preventing errors and maintaining performance, while still allowing users to specify their desired data.

Test Plan

  1. Test Query::select with regular attributes:
    • Make a request to /v1/users with queries[] = Query::select(['$id', 'name', 'email']).
    • Verify that the response only contains the $id, name, and email attributes for each user.
  2. Test Query::select with subQueryX attributes:
    • Make a request to /v1/users with queries[] = Query::select(['$id', 'name', 'sessions', 'tokens']).
    • Verify that the response contains $id and name.
    • Verify that sessions and tokens are not directly present in the user document, but the underlying subQuerySessions and subQueryTokens filters were correctly applied (meaning the related data would be available if not explicitly skipped by other means).
  3. Test Query::select with mixed attributes:
    • Make a request to /v1/users with queries[] = Query::select(['name', 'email', 'memberships']).
    • Verify name and email are returned, and memberships is handled via skipFilters.
  4. Test Query::select with only subQueryX attributes:
    • Make a request to /v1/users with queries[] = Query::select(['sessions', 'challenges']).
    • Verify that no select query is passed to the database (i.e., all attributes are returned as if no select was applied, but subQuerySessions and subQueryChallenges are in skipFilters).
  5. Test invalid select attributes:
    • Make a request to /v1/users with queries[] = Query::select(['nonExistentAttribute']).
    • Verify that an appropriate validation error is returned (e.g., "Query select is not valid: Attribute 'nonExistentAttribute' not found.").

Related PRs and Issues

  • (None)

Checklist

  • Have you read the Contributing Guidelines on issues?
  • If the PR includes a change to an API's metadata (desc, label, params, etc.), does it also include updated API specs and example docs?
Open in Cursor Open in Web

@cursoragent @abnegate
Implement select query validation and dynamic subquery filtering for …
f5d39f8 
…users

Co-authored-by: jakeb994 <jakeb994@gmail.com>
@cursor Cursor
Copy link

cursor bot commented Aug 12, 2025

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
Learn more about Cursor Agents

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 12, 2025
edited
Loading

Security Scan Results for PR

Docker Image Scan Results

Package Version Vulnerability Severity
binutils 2.42-r0 CVE-2025-0840 HIGH
git 2.45.3-r0 CVE-2025-48384 HIGH
git 2.45.3-r0 CVE-2025-48385 HIGH
git-init-template 2.45.3-r0 CVE-2025-48384 HIGH
git-init-template 2.45.3-r0 CVE-2025-48385 HIGH
icu 74.2-r0 CVE-2025-5222 HIGH
icu-data-en 74.2-r0 CVE-2025-5222 HIGH
icu-dev 74.2-r0 CVE-2025-5222 HIGH
icu-libs 74.2-r0 CVE-2025-5222 HIGH
libexpat 2.6.4-r0 CVE-2024-8176 HIGH
libxml2 2.12.7-r0 CVE-2024-56171 HIGH
libxml2 2.12.7-r0 CVE-2025-24928 HIGH
libxml2 2.12.7-r0 CVE-2025-27113 HIGH
libxml2 2.12.7-r0 CVE-2025-32414 HIGH
libxml2 2.12.7-r0 CVE-2025-32415 HIGH
pyc 3.12.9-r0 CVE-2024-12718 HIGH
pyc 3.12.9-r0 CVE-2025-4138 HIGH
pyc 3.12.9-r0 CVE-2025-4330 HIGH
pyc 3.12.9-r0 CVE-2025-4517 HIGH
python3 3.12.9-r0 CVE-2024-12718 HIGH
python3 3.12.9-r0 CVE-2025-4138 HIGH
python3 3.12.9-r0 CVE-2025-4330 HIGH
python3 3.12.9-r0 CVE-2025-4517 HIGH
python3-pyc 3.12.9-r0 CVE-2024-12718 HIGH
python3-pyc 3.12.9-r0 CVE-2025-4138 HIGH
python3-pyc 3.12.9-r0 CVE-2025-4330 HIGH
python3-pyc 3.12.9-r0 CVE-2025-4517 HIGH
python3-pycache-pyc0 3.12.9-r0 CVE-2024-12718 HIGH
python3-pycache-pyc0 3.12.9-r0 CVE-2025-4138 HIGH
python3-pycache-pyc0 3.12.9-r0 CVE-2025-4330 HIGH
python3-pycache-pyc0 3.12.9-r0 CVE-2025-4517 HIGH
sqlite-libs 3.45.3-r1 CVE-2025-29087 HIGH
xz 5.6.2-r0 CVE-2025-31115 HIGH
xz-libs 5.6.2-r0 CVE-2025-31115 HIGH
golang.org/x/crypto v0.31.0 CVE-2025-22869 HIGH
golang.org/x/oauth2 v0.24.0 CVE-2025-22868 HIGH
stdlib 1.22.10 CVE-2025-47907 HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

abnegate
abnegate commented Aug 12, 2025
View reviewed changes
app/controllers/api/users.php Outdated
Comment on lines 646 to 654
// Define attributes that have subQueryX filters
$subQueryAttributes = [
'authenticators' => 'subQueryAuthenticators',
'sessions' => 'subQuerySessions',
'tokens' => 'subQueryTokens',
'challenges' => 'subQueryChallenges',
'memberships' => 'subQueryMemberships',
'targets' => 'subQueryTargets'
];
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cursor Don't hardcore these, pull from the collection config with Cofig::getParam and filter the ones that have subqueries

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Working on it! I'll start making changes in this branch.

Open in Cursor Open in Web

abnegate
abnegate commented Aug 12, 2025
View reviewed changes
app/controllers/api/users.php Outdated
];

// Process select queries and identify subQueryX attributes
$skipFilters = ['subQueryAuthenticators', 'subQuerySessions', 'subQueryTokens', 'subQueryChallenges', 'subQueryMemberships', 'subQueryTargets'];
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cursor Don't skip subQueryTargets if targets is in the select query. Based on the attribute from the config.

Copy link

@cursor cursor bot Aug 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I refined the GET /v1/users endpoint to correctly process subQueryX attributes when explicitly selected. This ensures that if a subquery attribute is requested via a select query, its corresponding filter is no longer skipped, allowing the subquery data to be included in the response.

  • I modified the App::get('/v1/users') route handler in app/controllers/api/users.php to adjust how skipFilters are managed.
  • I changed the logic so that skipFilters initially contains all subQueryAttributes values, meaning all subQuery filters are skipped by default.
  • I introduced requestedSubQueryAttributes to track specific subQueryX attributes that are explicitly requested in a select query.
  • I updated the final skipFilters calculation using array_diff($skipFilters, $requestedSubQueryAttributes). This removes any requested subQuery filters from the skipFilters list, ensuring their data is fetched.
Open in Cursor Open in Web

Learn more about Cursor Agents

cursoragent and others added 2 commits August 12, 2025 12:16
@cursoragent @abnegate
Checkpoint before follow-up message
e1f7d50 
Co-authored-by: jakeb994 <jakeb994@gmail.com>
@cursoragent @abnegate
Fix subquery attribute filtering in user API endpoint
438ea23 
Co-authored-by: jakeb994 <jakeb994@gmail.com>
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 12, 2025

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch cursor/update-users-endpoint-with-subquery-filtering-01a3

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 12, 2025
edited
Loading

✨ Benchmark results

  • Requests per second: 880
  • Requests with 200 status code: 158,427
  • P99 latency: 0.209398908

⚡ Benchmark Comparison

Metric This PR Latest version
RPS 880 851
200 158,427 153,160
P99 0.209398908 0.235184997

cursoragent and others added 3 commits August 12, 2025 12:31
@cursoragent @abnegate
Simplify user collection config retrieval in users API controller
94b2f1a 
Co-authored-by: jakeb994 <jakeb994@gmail.com>
@cursoragent @abnegate
Refactor subquery attribute handling in users API endpoint
28ba9e3 
Co-authored-by: jakeb994 <jakeb994@gmail.com>
@cursoragent @abnegate
Refactor query processing to handle subquery attributes more efficiently
0211478 
Co-authored-by: jakeb994 <jakeb994@gmail.com>
abnegate
abnegate commented Aug 12, 2025
View reviewed changes
abnegate
abnegate commented Aug 12, 2025
View reviewed changes
abnegate
abnegate commented Aug 12, 2025
View reviewed changes
abnegate
abnegate commented Aug 12, 2025
View reviewed changes
cursoragent and others added 2 commits August 12, 2025 12:59
@cursoragent @abnegate
Move Select validator to Utopia namespace and remove Appwrite-specifi…
3ad1bcb 
…c implementation

Co-authored-by: jakeb994 <jakeb994@gmail.com>
@cursoragent @abnegate
Add comprehensive tests for Query::select with users endpoint
c07ede1 
Co-authored-by: jakeb994 <jakeb994@gmail.com>
abnegate
abnegate commented Aug 12, 2025
View reviewed changes
@cursoragent @abnegate
Update user query tests to check subquery attributes when selected
7118146 
Co-authored-by: jakeb994 <jakeb994@gmail.com>
abnegate
abnegate commented Aug 12, 2025
View reviewed changes
cursoragent and others added 2 commits August 12, 2025 13:16
@cursoragent @abnegate
Fix select query handling to only return $id when no attributes speci…
1c0b5e9 
…fied

Co-authored-by: jakeb994 <jakeb994@gmail.com>
@cursoragent @abnegate
Remove test for multiple select queries in UsersBase trait
326fe53 
Co-authored-by: jakeb994 <jakeb994@gmail.com>
abnegate
abnegate commented Aug 12, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abnegate @cursoragent