salman/igny8
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8296685fbd53e7b562c1925d4cf7a680bef673a9
igny8/SITE_ISOLATION_BUG_FIX_FINAL.md
IGNY8 VPS (Salman) 029c66a0f1 Refactor WordPress integration service to use API key for connection testing 
- Updated the `IntegrationService` to perform connection tests using only the API key, removing reliance on username and app password.
- Simplified health check logic and improved error messaging for better clarity.
- Added functionality to revoke API keys in the `WordPressIntegrationForm` component.
- Enhanced site settings page with a site selector and improved integration status display.
- Cleaned up unused code and improved overall structure for better maintainability.
2025-11-22 09:31:07 +00:00

2.7 KiB
Raw Blame History

Site Isolation Bug - Final Fix

Problem

All sites (5, 10, 14, 15) were showing IDENTICAL settings and content types instead of site-specific data. This was a CRITICAL data isolation bug.

Root Cause

The IntegrationViewSet extends SiteSectorModelViewSet, which only applies site filtering if the model has BOTH site AND sector fields.

The SiteIntegration model only has a site field (no sector field), so the condition on line 231 of base.py was FALSE:

if hasattr(queryset.model, 'site') and hasattr(queryset.model, 'sector'):

This meant the entire site filtering block was SKIPPED, causing ALL integrations to be returned regardless of the ?site=X parameter.

The Fix

File: /data/app/igny8/backend/igny8_core/modules/integration/views.py

Added get_queryset() method to IntegrationViewSet to manually filter by site:

def get_queryset(self):
    """
    Override to filter integrations by site.
    SiteIntegration only has 'site' field (no 'sector'), so SiteSectorModelViewSet's
    filtering doesn't apply. We manually filter by site here.
    """
    queryset = super().get_queryset()
    
    # Get site parameter from query params
    site_id = self.request.query_params.get('site_id') or self.request.query_params.get('site')
    
    if site_id:
        try:
            site_id_int = int(site_id)
            queryset = queryset.filter(site_id=site_id_int)
        except (ValueError, TypeError):
            # Invalid site_id, return empty queryset
            queryset = queryset.none()
    
    return queryset

Testing

Before Fix:

  • Site 5: Showed homeg8.com integration
  • Site 10: Showed homeg8.com integration (WRONG)
  • Site 14: Showed homeg8.com integration (WRONG)
  • Site 15: Showed homeg8.com integration (WRONG)

After Fix:

  • Site 5: Shows its own integration
  • Site 10: Shows its own integration
  • Site 14: Shows its own integration
  • Site 15: Shows its own integration

API Behavior

Before Fix:

GET /api/v1/integration/integrations/?site=10
→ Returns ALL integrations for ALL sites

After Fix:

GET /api/v1/integration/integrations/?site=10
→ Returns ONLY integrations for site 10

Security Impact

This was a CRITICAL data isolation bug that could cause:

  • Data leakage between sites (FIXED)
  • Wrong content syncing to wrong sites (FIXED)
  • Security/privacy violations (FIXED)

Deployment

  1. Fix was applied to: /data/app/igny8/backend/igny8_core/modules/integration/views.py
  2. Gunicorn workers were reloaded: pkill -HUP -f 'gunicorn igny8_core.wsgi'
  3. Changes are LIVE and WORKING

Status: FIXED AND DEPLOYED Date: 2025-11-22 Critical: YES

Reference in New Issue View Git Blame Copy Permalink