Skip to content

Fix migration 0202 to prevent duplicate Platform Auditor assignments#5

Draft
ambient-code[bot] wants to merge 1 commit into
develfrom
debuggernaut/AAP-72477
Draft

Fix migration 0202 to prevent duplicate Platform Auditor assignments#5
ambient-code[bot] wants to merge 1 commit into
develfrom
debuggernaut/AAP-72477

Conversation

@ambient-code

@ambient-code ambient-code Bot commented Jul 2, 2026

Copy link
Copy Markdown

Summary

  • Fix migration 0202_convert_controller_role_definitions to check for existing Platform Auditor RoleUserAssignment before creating a new one
  • During AAP 2.5-to-2.6 upgrade, the migration blindly creates Platform Auditor assignments using create() without checking for pre-existing ones
  • When a user already has a Platform Auditor assignment (from the gateway or earlier migration 0192), a duplicate row is inserted
  • PostgreSQL does not enforce unique_together when object_role is NULL, so the duplicate succeeds silently
  • On subsequent JWT authentication, give_or_remove_global_permission calls get_or_create which finds 2 matching rows and raises MultipleObjectsReturned, causing a 401 error
  • Add filter().exists() check before create() to skip users who already have a Platform Auditor assignment
  • Includes regression test in test_migrations.py

Companion PR in django-ansible-base adds defensive handling for duplicates at runtime.

Fixes: AAP-72477

Test plan

  • Verify test_no_duplicate_auditor_assignments passes in CI
  • Verify existing migration smoke tests still pass
  • Manual: On an AAP 2.5 instance with a user that already has Platform Auditor, upgrade to 2.6 and confirm no duplicate assignments are created

Assisted-by: Debuggernaut (claude-opus-4-6) [email protected]

The migration converts users from Controller System Auditor to
Platform Auditor using create() without checking for pre-existing
Platform Auditor assignments. When a user already has a Platform
Auditor assignment (e.g., from the gateway or earlier migration
0192), the migration creates a duplicate row. Because PostgreSQL
does not enforce unique_together when one column (object_role) is
NULL, the duplicate insert succeeds silently.

On subsequent JWT authentication, give_or_remove_global_permission
calls get_or_create which internally does get() and finds 2 matching
rows, raising MultipleObjectsReturned and causing a 401 error.

Add a filter().exists() check before create() to skip users who
already have a Platform Auditor assignment.

Fixes: AAP-72477

Assisted-by: Debuggernaut (claude-opus-4-6) <[email protected]>
Co-Authored-By: Claude <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants