Skip to content

Project access privilege lookup queries wrong access tables #5155

Closed
Bug
#5156
Closed
Project access privilege lookup queries wrong access tables#5155
Bug
#5156
Assignees
fallintoplace
@fallintoplace

Description

@fallintoplace
fallintoplace
opened on May 22, 2026

What happened?

ProjectAccessResource.getProjectAccessPrivilege builds a query that selects PROJECT_USER_ACCESS.PRIVILEGE, but the query starts from WORKFLOW_USER_ACCESS and filters on DATASET_USER_ACCESS.UID.

Before: project grant/revoke authorization -> project privilege lookup -> SQL references workflow/dataset access tables.
After: project grant/revoke authorization -> project privilege lookup -> SQL reads PROJECT_USER_ACCESS by (pid, uid).

This can make users with valid project access fail project write checks, and can surface database errors instead of the expected project privilege.

How to reproduce?

  1. On main, create a project through ProjectResource.createProject, which inserts a PROJECT_USER_ACCESS WRITE row for the creator.
  2. Call ProjectAccessResource.getProjectAccessPrivilege(pid, creatorUid).
  3. The lookup should return WRITE, but the current query references the wrong access tables.

Branch

main

Commit Hash (Optional)

bf2f92c

What browsers are you seeing the problem on?

N/A - backend bug

Relevant log output

ProjectAccessResource.getProjectAccessPrivilege selects PROJECT_USER_ACCESS.PRIVILEGE from WORKFLOW_USER_ACCESS and filters DATASET_USER_ACCESS.UID.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Bug

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions