Fix: incorrect queryset assignment and invalid field lookup in product_meta_value

[keshviagrawal]

Found a bug in product_meta_values where non-admin users were getting a 500 error.

The main issues were:
The filter was using event__id on a model that doesn't have it (needs to go through the product).
defaults was being overwritten by a different queryset type, which broke things later in the function.

I've separated the filters and used the correct product__event__id path. Also cleaned it up by putting the team's event IDs into a single variable to avoid hitting the DB twice.

Additionally, I added organizer-level filtering (organizer=organizer) to ensure that users only access product meta values belonging to their respective organizer.

Previously, team members associated with multiple organizers could potentially access data across events from different organizers when filtering by limit_events. This change improves data isolation and security alongside fixing the 500 error.
Fixes #2741

Summary by Sourcery

Fix access-controlled product meta value lookups to avoid server errors for non-admin users.

Bug Fixes:

• Correct the queryset filters in product_meta_values to use the proper event relationship and avoid invalid field lookups.
• Ensure the defaults queryset is filtered correctly without being overwritten by an incompatible queryset type for non-admin users.

Enhancements:

• Reuse a single computed list of user-accessible event IDs when filtering product meta values to reduce duplicate database queries.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Restricts product_meta_values results for non-admin users by correctly scoping both defaults and matches querysets to the user’s permitted event IDs, fixing an incorrect field lookup and a queryset mix-up that caused 500s.

Sequence diagram for non-admin product_meta_values filtering

sequenceDiagram
    actor User
    participant Browser
    participant DjangoView as product_meta_values
    participant TeamQS as UserTeams
    participant DefaultsQS as DefaultsQueryset
    participant MatchesQS as MatchesQueryset

    User->>Browser: Type in product metadata field
    Browser->>DjangoView: AJAX request to product_meta_values

    DjangoView->>DjangoView: Compute all_access flag
    alt all_access is false (non-admin or limited access)
        DjangoView->>TeamQS: filter(can_change_items=True)
        TeamQS-->>DjangoView: teams_queryset
        DjangoView->>TeamQS: values_list(limit_events__id, flat=True)
        TeamQS-->>DjangoView: user_event_ids

        DjangoView->>DefaultsQS: defaults.filter(event__id__in=user_event_ids)
        DefaultsQS-->>DjangoView: scoped_defaults

        DjangoView->>MatchesQS: matches.filter(product__event__id__in=user_event_ids)
        MatchesQS-->>DjangoView: scoped_matches
    else all_access is true (admin or all_events)
        DjangoView->>DjangoView: Use unfiltered defaults and matches
    end

    DjangoView-->>Browser: JsonResponse with defaults and matches
    Browser-->>User: Render filtered typeahead suggestions

Loading

Flow diagram for product_meta_values access and filtering logic

flowchart TD
    A[Start product_meta_values view] --> B[Compute all_access
- user.is_superuser or user.is_staff
- or team with all_events and can_change_items for organizer]
    B -->|all_access is true| C[Use existing defaults and matches querysets]
    B -->|all_access is false| D[Query user teams with can_change_items=True]

    D --> E[Extract user_event_ids via values_list limit_events__id flat True]
    E --> F[Filter defaults by event__id__in user_event_ids]
    E --> G[Filter matches by product__event__id__in user_event_ids]

    C --> H[Return JsonResponse]
    F --> H
    G --> H
    H[End: return filtered JSON results]

Loading

File-Level Changes

Change	Details	Files
Fix non-admin product_meta_values permissions by filtering both defaults and matches with consistent, correct event constraints.	Introduce user_event_ids queryset to compute the current user’s permitted event IDs once and reuse it. Change defaults filtering to apply event__id__in=user_event_ids instead of reassigning defaults from matches. Change matches filtering to use the correct product__event__id__in=user_event_ids path instead of the invalid event__id lookup on the wrong model.	app/eventyay/control/views/typeahead.py

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#2741	Correct the invalid field lookup in the access restriction for product_meta_values so that ProductMetaValue is filtered via product__event__id instead of a nonexistent direct event field.	✅
#2741	Preserve the correct queryset types by ensuring defaults (ProductMetaProperty queryset) is not overwritten with a ProductMetaValue queryset and instead is filtered separately while maintaining its original model.	✅

Possibly linked issues

• Bug: Incorrect queryset assignment and invalid field lookup in product_meta_values #2741: PR updates product_meta_values to filter defaults and matches correctly using product__event and avoids queryset type mismatch.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider materializing user_event_ids (e.g., list(user_event_ids)) before using it in both defaults.filter(...) and matches.filter(...) to avoid evaluating the queryset twice and issuing duplicate database queries.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider materializing `user_event_ids` (e.g., `list(user_event_ids)`) before using it in both `defaults.filter(...)` and `matches.filter(...)` to avoid evaluating the queryset twice and issuing duplicate database queries.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

Fixes a permission-path bug in the control-panel typeahead endpoint for product meta values that caused 500 errors for non-admin users by correcting queryset filtering and preserving queryset types.

Changes:

• Corrects access-restriction filtering by applying event scoping on the proper model path (product__event__id for ProductMetaValue).
• Prevents accidental reassignment of defaults to a queryset of the wrong model by filtering defaults and matches independently.
• Reuses a single user_event_ids subquery for both filters.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Add a regression test that exercises the non-all_access branch (user has organizer permission but only limited event permissions) and asserts this endpoint returns 200 (no FieldError/500) and only returns values for events in the user's limit_events. This would prevent the original queryset/lookup bug from being reintroduced.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Consider adding a regression test for the non-admin path (not all_access) to assert this endpoint returns 200 and only includes meta values from events in limit_events (and does not raise FieldError). This would prevent reintroducing the 500 error reported in #2741.

[Rachit7168]

Hi @keshviagrawa

include the related issue number in the PR description and not in the PR title itslef Maintainers usually recommend linking the issue,Just a small suggestion to align with the contribution guidelines

[keshviagrawal]

Thanks for the suggestion @Rachit7168! I've updated the title to follow the contribution guidelines.

[shivam-pawar-7217]

Good fix on the product__event__id__in field path that was definitely causing the FieldError on non-admin users.

One thing worth highlighting explicitly: the new code adds organizer=organizer to the team filter, which wasn't in the original. Without it, a user who's a team member across multiple organizers could see product meta values for events from other organizers when filtering by limit_events. The new scope fix is correct just worth documenting in the PR description since it's a data isolation improvement on top of the 500 fix.

[keshviagrawal]

Thanks @shivam-pawar-7217 for pointing that out! I've clarified the organizer-level filtering and its impact on data isolation here.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

[mariobehling]

Please provide a screencast showing that the fix works on the system itself. Thanks.

[keshviagrawal]

Demo.mp4

Added a screencast demonstrating the fix.

The video shows:

Non-admin user accessing the product page
Page loads successfully without any 500 error
Network requests returning 200 status

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.