fix: improve db drop down perf by prefiltering (#60652)

edpaget · edpaget · commit 5fc29c4e4090 · 2025-07-28T08:27:15.000-05:00
diff --git a/src/metabase/permissions/core.clj b/src/metabase/permissions/core.clj
@@ -57,6 +57,7 @@
  [metabase.permissions.models.data-permissions.sql
   UserInfo
   PermissionMapping
+  visible-database-filter-select
   visible-table-filter-select]
  [metabase.permissions.models.permissions
   audit-namespace-clause
diff --git a/src/metabase/permissions/models/data_permissions/sql.clj b/src/metabase/permissions/models/data_permissions/sql.clj
@@ -135,3 +135,35 @@
                              [(apply has-perms-for-table-as-honey-sql? user-id perm-type (cond-> perm-level
                                                                                            (not (sequential? perm-level)) vector))]))
                    permission-mapping))})
+
+(mu/defn- has-perms-for-database-as-honey-sql?
+  "Builds an EXISTS (SELECT ...) half-join to filter databases that a user has the required permissions for.
+   Similar to has-perms-for-table-as-honey-sql? but specifically for database-level permissions."
+  [user-id :- pos-int?
+   perm-type :- :keyword
+   required-level :- :keyword
+   & [most-or-least :- [:maybe [:enum :most :least]]]]
+  [:exists {:select [1]
+            :from [[:data_permissions :dp]]
+            :where [:and
+                    [:= :dp.perm_type (h2x/literal perm-type)]
+                    [:= :md.id :dp.db_id]
+                    (user-in-group-half-join user-id)]
+            :group-by [:md.id]
+            :having [(perm-condition perm-type required-level (or most-or-least :least))]}])
+
+(mu/defn visible-database-filter-select
+  "Selects database IDs that are visible to the provided user given a mapping of permission types to the required value.
+   Similar to visible-table-filter-select but for databases."
+  [{:keys [user-id is-superuser?]} :- UserInfo
+   permission-mapping :- PermissionMapping]
+  {:select [:md.id]
+   :from [[:metabase_database :md]]
+   :where (if is-superuser?
+            [:= [:inline 1] [:inline 1]]
+            (into [:and]
+                  (mapcat (fn [[perm-type perm-level]]
+                            [(apply has-perms-for-database-as-honey-sql?
+                                    user-id perm-type (cond-> perm-level
+                                                        (not (sequential? perm-level)) vector))]))
+                  permission-mapping))})
diff --git a/src/metabase/warehouses/api.clj b/src/metabase/warehouses/api.clj
@@ -256,23 +256,28 @@
   (let [filter-on-router-database-id (when (some->> router-database-id
                                                     (perms/user-has-permission-for-database? api/*current-user-id* :perms/manage-database :yes))
                                        router-database-id)
-        dbs (t2/select :model/Database {:order-by [:%lower.name :%lower.engine]
-                                        :where [:and
-                                                (when-not include-analytics?
-                                                  [:= :is_audit false])
-                                                (if filter-on-router-database-id
-                                                  [:= :router_database_id router-database-id]
-                                                  [:= :router_database_id nil])]})
         filter-by-data-access? (not (or include-editable-data-model?
                                         exclude-uneditable-details?
-                                        filter-on-router-database-id))]
+                                        filter-on-router-database-id))
+        user-info {:user-id api/*current-user-id* :is-superuser? (mi/superuser?)}
+        permission-mapping {:perms/create-queries :query-builder}
+        base-where [:and
+                    (when-not include-analytics?
+                      [:= :is_audit false])
+                    (if filter-on-router-database-id
+                      [:= :router_database_id router-database-id]
+                      [:= :router_database_id nil])]
+        where-clause (if filter-by-data-access?
+                       [:and base-where (mi/visible-filter-clause :model/Database :id user-info permission-mapping)]
+                       base-where)
+        dbs (t2/select :model/Database {:order-by [:%lower.name :%lower.engine]
+                                        :where where-clause})]
     (cond-> (add-native-perms-info dbs)
       include-tables?              add-tables
       true                         add-can-upload-to-dbs
       true                         (t2/hydrate :router_user_attribute)
       include-editable-data-model? filter-databases-by-data-model-perms
       exclude-uneditable-details?  (#(filter (some-fn :is_attached_dwh mi/can-write?) %))
-      filter-by-data-access?       (#(filter mi/can-read? %))
       include-saved-questions-db?  (add-saved-questions-virtual-database :include-tables? include-saved-questions-tables?)
       ;; Perms checks for uploadable DBs are handled by exclude-uneditable-details? (see below)
       include-only-uploadable?     (#(filter uploadable-db? %)))))
diff --git a/src/metabase/warehouses/models/database.clj b/src/metabase/warehouses/models/database.clj
@@ -122,6 +122,11 @@
    (and (can-write? pk)
         (not (:is_attached_dwh (t2/select-one :model/Database :id pk))))))
 
+(mu/defmethod mi/visible-filter-clause :model/Database
+  [_model column-or-exp user-info permission-mapping]
+  [:in column-or-exp
+   (perms/visible-database-filter-select user-info permission-mapping)])
+
 (defn- infer-db-schedules
   "Infer database schedule settings based on its options."
   [{:keys [details is_full_sync is_on_demand cache_field_values_schedule metadata_sync_schedule] :as database}]
diff --git a/test/metabase/permissions/models/data_permissions_test.clj b/test/metabase/permissions/models/data_permissions_test.clj
@@ -516,6 +516,88 @@
           (is (= :query-builder (data-perms/most-permissive-database-permission-for-user
                                  user-id-1 :perms/create-queries database-id-1))))))))
 
+(deftest most-permissive-database-permission-for-user-multiple-groups-test
+  (testing "most-permissive-database-permission-for-user with multiple groups"
+    (mt/with-temp [:model/PermissionsGroup {group-id-1 :id} {}
+                   :model/PermissionsGroup {group-id-2 :id} {}
+                   :model/PermissionsGroup {group-id-3 :id} {}
+                   :model/User {user-id :id} {}
+                   :model/PermissionsGroupMembership {} {:user_id user-id
+                                                         :group_id group-id-1}
+                   :model/PermissionsGroupMembership {} {:user_id user-id
+                                                         :group_id group-id-2}
+                   :model/PermissionsGroupMembership {} {:user_id user-id
+                                                         :group_id group-id-3}
+                   :model/Database {database-id :id} {}
+                   :model/Table {table-id-1 :id} {:db_id database-id}
+                   :model/Table {table-id-2 :id} {:db_id database-id}
+                   :model/Table {table-id-3 :id} {:db_id database-id}]
+      (mt/with-no-data-perms-for-all-users!
+        ;; Clear the default permissions for all groups
+        (doseq [group-id [group-id-1 group-id-2 group-id-3]]
+          (t2/delete! :model/DataPermissions :group_id group-id))
+
+        (testing "Returns most permissive permission when user has different levels across groups"
+          ;; Group 1: no permissions (least permissive)
+          (data-perms/set-table-permission! group-id-1 table-id-1 :perms/create-queries :no)
+          (data-perms/set-table-permission! group-id-1 table-id-2 :perms/create-queries :no)
+          (data-perms/set-table-permission! group-id-1 table-id-3 :perms/create-queries :no)
+
+          ;; Group 2: query-builder permissions (medium permissive)
+          (data-perms/set-table-permission! group-id-2 table-id-1 :perms/create-queries :query-builder)
+          (data-perms/set-table-permission! group-id-2 table-id-2 :perms/create-queries :query-builder)
+          (data-perms/set-table-permission! group-id-2 table-id-3 :perms/create-queries :no)
+
+          ;; Group 3: native permissions (most permissive)
+          (data-perms/set-table-permission! group-id-3 table-id-1 :perms/create-queries :query-builder-and-native)
+          (data-perms/set-table-permission! group-id-3 table-id-2 :perms/create-queries :no)
+          (data-perms/set-table-permission! group-id-3 table-id-3 :perms/create-queries :no)
+
+          ;; Should return the most permissive permission found across all tables and groups
+          (is (= :query-builder-and-native
+                 (data-perms/most-permissive-database-permission-for-user
+                  user-id :perms/create-queries database-id))))
+
+        (testing "Coalesces permissions correctly for :perms/view-data"
+          ;; Group 1: blocked for all tables
+          (data-perms/set-table-permission! group-id-1 table-id-1 :perms/view-data :blocked)
+          (data-perms/set-table-permission! group-id-1 table-id-2 :perms/view-data :blocked)
+          (data-perms/set-table-permission! group-id-1 table-id-3 :perms/view-data :blocked)
+
+          ;; Group 2: unrestricted for one table
+          (data-perms/set-table-permission! group-id-2 table-id-1 :perms/view-data :unrestricted)
+          (data-perms/set-table-permission! group-id-2 table-id-2 :perms/view-data :blocked)
+          (data-perms/set-table-permission! group-id-2 table-id-3 :perms/view-data :blocked)
+
+          ;; Group 3: legacy-no-self-service for remaining tables
+          (data-perms/set-table-permission! group-id-3 table-id-1 :perms/view-data :blocked)
+          (data-perms/set-table-permission! group-id-3 table-id-2 :perms/view-data :legacy-no-self-service)
+          (data-perms/set-table-permission! group-id-3 table-id-3 :perms/view-data :legacy-no-self-service)
+
+          ;; Should return :unrestricted (most permissive) as per coalesce logic
+          (is (= :unrestricted
+                 (data-perms/most-permissive-database-permission-for-user
+                  user-id :perms/view-data database-id))))
+
+        (testing "Returns correct permission when all groups have same level"
+          ;; All groups have query-builder permission
+          (data-perms/set-table-permission! group-id-1 table-id-1 :perms/create-queries :query-builder)
+          (data-perms/set-table-permission! group-id-2 table-id-1 :perms/create-queries :query-builder)
+          (data-perms/set-table-permission! group-id-3 table-id-1 :perms/create-queries :query-builder)
+
+          (is (= :query-builder
+                 (data-perms/most-permissive-database-permission-for-user
+                  user-id :perms/create-queries database-id))))
+
+        (testing "Returns least permissive value when no permissions are granted"
+          ;; Remove all permissions
+          (doseq [group-id [group-id-1 group-id-2 group-id-3]]
+            (t2/delete! :model/DataPermissions :group_id group-id))
+
+          (is (= :no
+                 (data-perms/most-permissive-database-permission-for-user
+                  user-id :perms/create-queries database-id))))))))
+
 (deftest set-new-database-permissions!-test
   (mt/with-temp [:model/PermissionsGroup {group-id :id} {}
                  :model/Database         {db-id-1 :id}  {}
diff --git a/test/metabase/warehouses/models/database_test.clj b/test/metabase/warehouses/models/database_test.clj
@@ -11,6 +11,8 @@
    [metabase.lib.test-util :as lib.tu]
    [metabase.models.interface :as mi]
    [metabase.models.serialization :as serdes]
+   [metabase.permissions.core :as perms]
+   [metabase.permissions.models.data-permissions :as data-perms]
    [metabase.query-processor.store :as qp.store]
    [metabase.request.core :as request]
    [metabase.secrets.core :as secret]
@@ -627,3 +629,142 @@
              (t2/hydrate :tables)
              :tables
              (#(map :name %))))))
+
+(deftest visible-filter-clause-test
+  (testing "Database visible-filter-clause generates a HoneySQL clause that filters databases based on user permissions"
+    (mt/with-no-data-perms-for-all-users!
+      (mt/with-temp [:model/Database {db1-id :id} {:name "Database 1"}
+                     :model/Database {db2-id :id} {:name "Database 2"}
+                     :model/Database {db3-id :id} {:name "Database 3"}
+                     :model/Table _ {:db_id db1-id :name "Table1"}
+                     :model/Table _ {:db_id db2-id :name "Table2"}
+                     :model/Table _ {:db_id db3-id :name "Table3"}
+                     :model/PermissionsGroup pg1 {}
+                     :model/PermissionsGroup pg2 {}]
+
+        ;; Set up permissions: user has access to db1 and db2 via different groups, but not db3
+        (perms/add-user-to-group! (mt/user->id :rasta) pg1)
+        (perms/add-user-to-group! (mt/user->id :rasta) pg2)
+
+        ;; Clear existing permissions for our test databases only
+        (t2/delete! :model/DataPermissions :db_id [:in [db1-id db2-id db3-id]])
+
+        ;; Grant permissions to specific databases
+        (data-perms/set-database-permission! pg1 db1-id :perms/view-data :unrestricted)
+        (data-perms/set-database-permission! pg1 db1-id :perms/create-queries :query-builder)
+
+        (data-perms/set-database-permission! pg2 db2-id :perms/view-data :unrestricted)
+        (data-perms/set-database-permission! pg2 db2-id :perms/create-queries :query-builder)
+
+        ;; No permissions for db3
+        (data-perms/set-database-permission! pg1 db3-id :perms/view-data :blocked)
+        (data-perms/set-database-permission! pg2 db3-id :perms/view-data :blocked)
+
+        (let [user-id (mt/user->id :rasta)
+              fetch-visible-ids (fn [user-info permission-mapping column-field]
+                                  (let [filter-clause (mi/visible-filter-clause :model/Database column-field user-info permission-mapping)]
+                                    (t2/select-pks-set :model/Database
+                                                       {:where [:and
+                                                                filter-clause
+                                                                [:in :id [db1-id db2-id db3-id]]]})))] ; Only check our test databases
+
+          (testing "Superuser should see all databases"
+            (let [user-info {:user-id user-id :is-superuser? true}
+                  permission-mapping {:perms/view-data :unrestricted
+                                      :perms/create-queries :query-builder}]
+              (is (= #{db1-id db2-id db3-id}
+                     (fetch-visible-ids user-info permission-mapping :id))
+                  "Superuser should see all databases")))
+
+          (testing "Non-superuser should only see databases they have permissions for"
+            (let [user-info {:user-id user-id :is-superuser? false}
+                  permission-mapping {:perms/view-data :unrestricted
+                                      :perms/create-queries :query-builder}]
+              (is (= #{db1-id db2-id}
+                     (fetch-visible-ids user-info permission-mapping :id))
+                  "Non-superuser should only see databases with sufficient permissions")))
+
+          (testing "Using qualified column name"
+            (let [user-info {:user-id user-id :is-superuser? false}
+                  permission-mapping {:perms/view-data :unrestricted
+                                      :perms/create-queries :query-builder}]
+              (is (= #{db1-id db2-id}
+                     (fetch-visible-ids user-info permission-mapping :metabase_database.id))
+                  "Should work with qualified column names")))
+
+          (testing "Using column expression"
+            (let [user-info {:user-id user-id :is-superuser? false}
+                  permission-mapping {:perms/view-data :unrestricted
+                                      :perms/create-queries :query-builder}]
+              (is (= #{db1-id db2-id}
+                     (fetch-visible-ids user-info permission-mapping [:coalesce :id :metabase_database.id]))
+                  "Should work with column expressions")))
+
+          (testing "Different permission levels"
+            (testing "Requiring only view-data permissions"
+              (let [user-info {:user-id user-id :is-superuser? false}
+                    permission-mapping {:perms/view-data :unrestricted
+                                        :perms/create-queries :no}]
+                (is (= #{db1-id db2-id}
+                       (fetch-visible-ids user-info permission-mapping :id))
+                    "Should include databases where user has view permissions")))
+
+            (testing "Requiring blocked level permissions (most permissive)"
+              (let [user-info {:user-id user-id :is-superuser? false}
+                    permission-mapping {:perms/view-data :blocked
+                                        :perms/create-queries :no}]
+                (is (= #{db1-id db2-id db3-id}
+                       (fetch-visible-ids user-info permission-mapping :id))
+                    "Should include all databases when requiring only blocked level"))))
+
+          (testing "User with no permissions"
+            ;; Remove user from groups we added (avoid touching All Users group)
+            (t2/delete! :model/PermissionsGroupMembership
+                        :user_id user-id
+                        :group_id [:in [(:id pg1) (:id pg2)]])
+
+            (let [user-info {:user-id user-id :is-superuser? false}
+                  permission-mapping {:perms/view-data :unrestricted
+                                      :perms/create-queries :query-builder}]
+              (is (empty? (fetch-visible-ids user-info permission-mapping :id))
+                  "User with no group memberships should see no databases"))))))))
+
+(deftest visible-filter-clause-table-level-permissions-test
+  (testing "Database visible-filter-clause with table-level permissions"
+    (mt/with-no-data-perms-for-all-users!
+      (mt/with-temp [:model/Database {db-id :id} {:name "Test Database"}
+                     :model/Table {table1-id :id} {:db_id db-id :name "Table1"}
+                     :model/Table {table2-id :id} {:db_id db-id :name "Table2"}
+                     :model/Table _ {:db_id db-id :name "Table3"}
+                     :model/PermissionsGroup pg {}]
+
+        (perms/add-user-to-group! (mt/user->id :rasta) pg)
+
+        ;; Clear existing permissions for our test database only
+        (t2/delete! :model/DataPermissions :db_id db-id)
+
+        ;; Block database-level access
+        (data-perms/set-database-permission! pg db-id :perms/view-data :blocked)
+        (data-perms/set-database-permission! pg db-id :perms/create-queries :no)
+
+        ;; Grant table-level permissions to only table1 and table2
+        (data-perms/set-table-permission! pg table1-id :perms/view-data :unrestricted)
+        (data-perms/set-table-permission! pg table1-id :perms/create-queries :query-builder)
+
+        (data-perms/set-table-permission! pg table2-id :perms/view-data :unrestricted)
+        (data-perms/set-table-permission! pg table2-id :perms/create-queries :query-builder)
+
+        ;; table3 remains blocked
+
+        (let [user-id (mt/user->id :rasta)
+              user-info {:user-id user-id :is-superuser? false}
+              permission-mapping {:perms/view-data :unrestricted
+                                  :perms/create-queries :query-builder}
+              filter-clause (mi/visible-filter-clause :model/Database :id user-info permission-mapping)
+              visible-db-ids (t2/select-pks-set :model/Database
+                                                {:where [:and
+                                                         filter-clause
+                                                         [:= :id db-id]]})] ; Only check our test database
+
+          (is (contains? visible-db-ids db-id)
+              "Database should be visible when user has access to at least one table"))))))
