perf: split implied user-app permissions

It took a long time to figure out why this was happening, but user-to-app permissions and dev-to-app permissions were being checked in sequence instead of concurrently. It turns out it was a recursive call in user-to-app permissions that was blocking. This recursive call was not actually a dependency of the query for user-to-app permissions; it was only needed for determining if default user-to-app permissions are held by the user. This was fixed by simply splitting up these non-dependent queries into two separate scanners.
2026-05-04 14:11:30 -05:00 · 2025-12-17 14:47:05 -05:00
parent 576900ebcc
commit eea9d8b27e
1 changed files with 19 additions and 9 deletions
@@ -297,25 +297,20 @@ const PERMISSION_SCANNERS = [
        },
    },
    {
-        name: 'user-app',
+        name: 'user-app-implied',
        documentation: `
-            If the actor is an app, this scans for permissions granted to the app
-            because the user has the permission and granted it to the app.
+            Some permissions are implied for apps as long as the user also has
+            these permissions.
        `,
        async scan (a) {
            const { reading, actor, permission_options } = a.values();
            if ( ! (actor.type instanceof AppUnderUserActorType) ) {
                return;
            }
-            const db = a.iget('db');
-
-            const app_uid = actor.type.app.uid;
-
            const issuer_actor = actor.get_related_actor(UserActorType);
            const issuer_reading = await a.icall('scan', issuer_actor, permission_options);
-
            const has_terminal = reading_has_terminal({ reading: issuer_reading });
-
+            const app_uid = actor.type.app.uid;
            for ( const permission of permission_options ) {
                {

@@ -354,6 +349,21 @@ const PERMISSION_SCANNERS = [
                }
            }

+        },
+    },
+    {
+        name: 'user-app',
+        documentation: `
+            If the actor is an app, this scans for permissions granted to the app
+            because the user has the permission and granted it to the app.
+        `,
+        async scan (a) {
+            const { reading, actor, permission_options } = a.values();
+            if ( ! (actor.type instanceof AppUnderUserActorType) ) {
+                return;
+            }
+            const db = a.iget('db');
+
            let sql_perm = permission_options.map(() =>
                '`permission` = ?').join(' OR ');
            if ( permission_options.length > 1 ) sql_perm = `(${sql_perm})`;