fix(secret-approval-request): skip soft-deleted projects in approval request DAL queries#7090
Conversation
…request DAL queries Four queries in secret-approval-request-dal join project_environments and filter Environment.deleteAfter but never filter Project.deleteAfter. Soft-deleting a project does not soft-delete its environments, so approval requests for projects sitting in the delete grace window were still returned by every find / list / pagination path. The findQuery helper already joins TableName.Project but never enforces whereNull(Project.deleteAfter); the three other ad-hoc subqueries that build the same shape (in findById, find pagination, and the SAR window query) also missed the Project join entirely. Adds the Project join + whereNull(Project.deleteAfter) to every place that already filters Environment.deleteAfter, matching the org-product-stats-dal.ts pattern and the previously shipped fixes. Skipped deleteByProjectId — that path is the project-cleanup worker, which intentionally targets soft-deleted projects for cleanup.
|
| Filename | Overview |
|---|---|
| backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts | Adds Project join + whereNull(Project.deleteAfter) to all four query paths (findQuery helper, findProjectRequestCount, findByProjectId, findByProjectIdBridgeSecretV2) that previously filtered environments but not their parent projects during the soft-delete grace window. |
Reviews (1): Last reviewed commit: "fix(secret-approval-request): skip soft-..." | Re-trigger Greptile
victorvhs017
left a comment
There was a problem hiding this comment.
Thank you for your collaboration!
What
Four queries in
secret-approval-request-dal.tsjoinproject_environmentsand filterEnvironment.deleteAfterbut never filterProject.deleteAfter. Soft-deleting a project does not soft-delete its environments, so approval requests for projects sitting in the delete grace window were still returned by every find / list / pagination path.The shared
findQueryhelper already joinsTableName.Projectbut never enforceswhereNull(Project.deleteAfter); the three other ad-hoc subqueries that build the same shape (infindById, the paginatedfind, and the SAR window query) also missed the Project join entirely.Fix
Adds the
Projectjoin +whereNull(Project.deleteAfter)to every place that already filtersEnvironment.deleteAfter. Mirrors the pattern inorg-product-stats-dal.tsand the previously shipped webhook (#6970), integration (#6983), secret-rotation-v2 (#7002), dynamic-secret (#7065), snapshot (#7066), folder-commit (#7067), honey-token (#7088), and secret-import (#7089) fixes.Not changed
deleteByProjectId— that path is the project-cleanup worker, which intentionally targets soft-deleted projects for cleanup.Checklist