fix: narrow event query person scope (#18399)

PostHog · Nov 3, 2023 · 5e2e9fc · 5e2e9fc
1 parent e5a4242
commit 5e2e9fc
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 3 deletions.
diff --git a/posthog/hogql_queries/events_query_runner.py b/posthog/hogql_queries/events_query_runner.py
@@ -115,7 +115,9 @@ def to_query(self) -> ast.SelectQuery:
                         where_exprs.append(action_to_expr(action))
                 if self.query.personId:
                     with self.timings.measure("person_id"):
-                        person: Optional[Person] = get_pk_or_uuid(Person.objects.all(), self.query.personId).first()
+                        person: Optional[Person] = get_pk_or_uuid(
+                            Person.objects.filter(team=self.team), self.query.personId
+                        ).first()
                         distinct_ids = person.distinct_ids if person is not None else []
                         ids_list = list(map(str, distinct_ids))
                         where_exprs.append(

diff --git a/...ueries/insights/test/test_events_query.py → ...insights/test/test_events_query_runner.py b/...ueries/insights/test/test_events_query.py → ...insights/test/test_events_query_runner.py
@@ -3,6 +3,8 @@
 from freezegun import freeze_time
 
 from posthog.hogql_queries.events_query_runner import EventsQueryRunner
+from posthog.models import Person, Team
+from posthog.models.organization import Organization
 from posthog.schema import (
     EventsQuery,
     EventPropertyFilter,
@@ -13,6 +15,7 @@
     ClickhouseTestMixin,
     _create_event,
     _create_person,
+    flush_persons_and_events,
 )
 
 
@@ -108,3 +111,21 @@ def test_is_set_boolean(self):
         )
 
         self.assertEqual({"p_true", "p_false"}, set(row[0]["distinct_id"] for row in results))
+
+    def test_person_id_expands_to_distinct_ids(self):
+        _create_person(
+            team_id=self.team.pk,
+            distinct_ids=["id1", "id2"],
+        )
+        flush_persons_and_events()
+        person = Person.objects.first()
+        query = EventsQuery(kind="EventsQuery", select=["*"], personId=str(person.pk))  # type: ignore
+
+        # matching team
+        query_ast = EventsQueryRunner(query=query, team=self.team).to_query()
+        self.assertEqual(query_ast.where.exprs[0].right.value, ["id1", "id2"])
+
+        # another team
+        another_team = Team.objects.create(organization=Organization.objects.create())
+        query_ast = EventsQueryRunner(query=query, team=another_team).to_query()
+        self.assertEqual(query_ast.where.exprs[0].right.value, [])
diff --git a/posthog/models/event/query_event_list.py b/posthog/models/event/query_event_list.py
@@ -21,7 +21,7 @@
 
 
 def determine_event_conditions(
-    conditions: Dict[str, Union[None, str, List[str]]], tzinfo: ZoneInfo
+    conditions: Dict[str, Union[None, str, List[str]]], team: Team, tzinfo: ZoneInfo
 ) -> Tuple[str, Dict]:
     result = ""
     params: Dict[str, Union[str, List[str]]] = {}
@@ -44,7 +44,7 @@ def determine_event_conditions(
             params.update({"before": timestamp})
         elif k == "person_id":
             result += """AND distinct_id IN (%(distinct_ids)s) """
-            person = get_pk_or_uuid(Person.objects.all(), v).first()
+            person = get_pk_or_uuid(Person.objects.filter(team=team), v).first()
             distinct_ids = person.distinct_ids if person is not None else []
             params.update({"distinct_ids": list(map(str, distinct_ids))})
         elif k == "distinct_id":
@@ -84,6 +84,7 @@ def query_events_list(
             "before": (now() + timedelta(seconds=5)).isoformat(),
             **request_get_query_dict,
         },
+        team,
         tzinfo=team.timezone_info,
     )
     prop_filters, prop_filter_params = parse_prop_grouped_clauses(