✨(contacts) filter list API with email

This allows to lookup onto emails for the "magic filter" on the API list endpoint.
2024-12-05 13:49:41 +01:00
parent 579aac264e
commit 019ce99a86
6 changed files with 164 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to
 ### Added
 - ✨(contacts) allow filter list API with email
 - ✨(contacts) return profile contact from same organization
 - ✨(dimail) automate allows requests to dimail
 - ✨(contacts) add notes & force full_name #565
--- a/src/backend/core/api/client/viewsets.py
+++ b/src/backend/core/api/client/viewsets.py
@@ -19,6 +19,7 @@ from rest_framework.permissions import AllowAny
 from core import models
 from core.api import permissions
 from core.api.client import serializers
 from core.utils.raw_sql import gen_sql_filter_json_array
 SIMILARITY_THRESHOLD = 0.04
@@ -157,11 +158,22 @@ class ContactViewSet(
            overridden_by__isnull=True,
        )
-        # Search by case-insensitive and accent-insensitive similarity
+        # Search by case-insensitive and accent-insensitive on:
        # - full name
        # - short name
        # - email (from data `emails` field)
        if query := self.request.GET.get("q", ""):
            queryset = queryset.filter(
                Q(full_name__unaccent__icontains=query)
                | Q(short_name__unaccent__icontains=query)
                | Q(
                    id__in=gen_sql_filter_json_array(
                        queryset.model,
                        "data->'emails'",
                        "value",
                        query,
                    )
                )
            )
        serializer = self.get_serializer(queryset, many=True)
--- a/src/backend/core/migrations/0009_contacts_add_index_on_data_emails.py
+++ b/src/backend/core/migrations/0009_contacts_add_index_on_data_emails.py
@@ -0,0 +1,18 @@
 # Generated by Django 5.1.3 on 2024-12-05 13:19
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ('core', '0008_change_user_profile_to_contact'),
    ]
    operations = [
        # From 100ms to 78ms for 5 000 contacts on my computer
        # This is not a big improvement and may need further investigation
        migrations.RunSQL(
           "CREATE INDEX json_field_index_emails_value ON people_contact USING GIN ((data->'emails'->'value') jsonb_path_ops);"
        )
    ]
--- a/src/backend/core/tests/contacts/test_core_api_contacts_list.py
+++ b/src/backend/core/tests/contacts/test_core_api_contacts_list.py
@@ -133,6 +133,78 @@ def test_api_contacts_list_authenticated_by_full_name():
    assert contact_ids == [str(frank.id), str(nicole.id)]
 def test_api_contacts_list_authenticated_by_email():
    """
    Authenticated users should be able to search users with a case insensitive and
    partial query on the email.
    """
    user = factories.UserFactory()
    dave = factories.BaseContactFactory(
        full_name="0",  # don't match on full name but allow ordering
        data={
            "emails": [
                {"type": "Home", "value": "dave@personal.com"},
                {"type": "Work", "value": "david.bowman@example.com"},
            ],
        },
    )
    nicole = factories.BaseContactFactory(
        full_name="1",  # don't match on full name but allow ordering
        data={
            "emails": [
                {"type": "Work", "value": "nicole.foole@example.com"},
            ],
        },
    )
    frank = factories.BaseContactFactory(
        full_name="2",  # don't match on full name but allow ordering
        data={
            "emails": [
                {"type": "Home", "value": "francky@personal.com"},
                {"type": "Work", "value": "franck.poole@example.com"},
            ],
        },
    )
    factories.BaseContactFactory(
        full_name="3",  # don't match on full name but allow ordering
        data={
            "emails": [
                {"type": "Work", "value": "heywood.floyd@example.com"},
            ],
        },
    )
    # Full query should work
    client = APIClient()
    client.force_login(user)
    response = client.get("/api/v1.0/contacts/?q=david.bowman@example.com")
    assert response.status_code == 200
    contact_ids = [contact["id"] for contact in response.json()]
    assert contact_ids == [str(dave.pk)]
    # Partial query should work
    response = client.get("/api/v1.0/contacts/?q=anc")
    assert response.status_code == 200
    contact_ids = [contact["id"] for contact in response.json()]
    assert contact_ids == [str(frank.pk)]
    response = client.get("/api/v1.0/contacts/?q=olé")  # accented
    assert response.status_code == 200
    contact_ids = [contact["id"] for contact in response.json()]
    assert contact_ids == [str(nicole.pk), str(frank.pk)]
    response = client.get("/api/v1.0/contacts/?q=oOl")  # mixed case
    assert response.status_code == 200
    contact_ids = [contact["id"] for contact in response.json()]
    assert contact_ids == [str(nicole.pk), str(frank.pk)]
 def test_api_contacts_list_authenticated_uppercase_content():
    """Upper case content should be found by lower case query."""
    user = factories.UserFactory()
--- a/src/backend/core/tests/test_utils_raw_sql.py
+++ b/src/backend/core/tests/test_utils_raw_sql.py
@@ -0,0 +1,19 @@
 """Tests for the raw SQL utility functions."""
 from django.db.models.expressions import RawSQL
 from core.models import Contact
 from core.utils.raw_sql import gen_sql_filter_json_array
 def test_gen_sql_filter_json_array():
    """Test the generation of a raw SQL query to filter on a JSON array."""
    raw_sql = gen_sql_filter_json_array(Contact, "data->'emails'", "value", "blah")
    assert isinstance(raw_sql, RawSQL)
    assert raw_sql.sql == (
        "SELECT people_contact.id FROM people_contact, "
        "jsonb_array_elements(data->'emails') AS temp_filter_table WHERE "
        "unaccent(temp_filter_table->>'value') ILIKE  unaccent(%s)"
    )
    assert raw_sql.params == ["%blah%"]
--- a/src/backend/core/utils/raw_sql.py
+++ b/src/backend/core/utils/raw_sql.py
@@ -0,0 +1,41 @@
 """Helper functions to generate raw SQL queries for Django models."""
 from typing import Type
 from django.db import models
 from django.db.models.expressions import RawSQL
 def gen_sql_filter_json_array(
    model: Type[models.Model],
    lookup_path: str,
    nested_key: str,
    lookup_value: str,
 ) -> RawSQL:
    """
    Filter a queryset on a nested JSON key in an array field with
    a case-insensitive and unaccent match.
    Highly inspired from
    https://gist.github.com/TobeTek/df2e9783a64e431c228c513441eaa8df#file-utils-py
    :param Type[models.Model] model: Your Django model to filter on
    :param str lookup_path: The lookup path of the array field/key in
           Postgres format e.g `data->"sub-key1"->"sub-key2"`
    :param str nested_key: The name of the nested key to filter on
    :param str lookup_value: The value to match/filter the queryset on
    """
    # Disabling S608 Possible SQL injection vector through string-based query construction
    # because we are using Django's RawSQL with parameters.
    # Disabling S611 Use of `RawSQL` can lead to SQL injection vulnerabilities
    # for the same reason.
    table_name = model._meta.db_table  # noqa: SLF001
    query = (
        f"SELECT {table_name}.id FROM {table_name}, "  # noqa: S608
        f"jsonb_array_elements({lookup_path}) AS temp_filter_table "
        f"WHERE unaccent(temp_filter_table->>'{nested_key}') ILIKE  unaccent(%s)"
    )
    return RawSQL(sql=query, params=[f"%{lookup_value}%"])  # noqa: S611