fix #3514

[ExtReMLapin]

Qwen 3.5 27B wrote the fix, while running in claude code binary
fixes #3514

Error

java.lang.IllegalStateException: Not a JSON Object: []
at com.arcadedb.serializer.json.JSONObject.getJSONObject(JSONObject.java:326)
at com.arcadedb.server.security.ServerSecurityDatabaseUser.updateFileAccess(ServerSecurityDatabaseUser.java:227)

Trigger Query

UNWIND $batch as row
MATCH (a) WHERE ID(a) = row.source_id
MATCH (b) WHERE ID(b) = row.target_id
MERGE (a)-[r:`causal_action`{chunk: row.features.chunk}]->(b)
RETURN a, b, r

Root Cause

In ServerSecurityDatabaseUser.java at line 225-227, there's a bug where the code looks for a type name at the wrong level of the JSON hierarchy:

  // BUGGY CODE (line 225-227)
  if (defaultGroup.has(typeName)) {
    t = defaultGroup.getJSONObject(typeName);  // <-- Wrong level!
  }

The Problem

The variable defaultGroup is a group configuration object with this structure:

  {
    "*": {                    // <-- defaultGroup is THIS object
      "types": {             // <-- typeName should be looked up HERE
        "causal_action": {
          "access": [...]
        }
      }
    }
  }

The code incorrectly checks defaultGroup.has(typeName) directly, but the type name is nested inside defaultGroup.getJSONObject("types").

**Qwen claims this but i'm not sure at all : **

When a new edge type is created via Cypher MERGE, the security system is updated. If the security configuration has any key at the group level that matches the type name (even accidentally), the code finds
it and tries to call getJSONObject() on it. If that value happens to be an array [], the error occurs.

[ExtReMLapin]

While I understand the fix itself or at least what qwen 3.5 claims, I don't understand why the error is not easily reproductible.

Why do we have to follow a specific query execution (cf query long list of cypher queries) ? Why didn't we see this issue before ?

[gemini-code-assist]

Summary of Changes

Hello @ExtReMLapin, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical IllegalStateException that occurred during the update of security file access configurations. The fix ensures that the system correctly parses the JSON structure for type-specific permissions, preventing errors when new database elements, such as edge types, are created, by accessing the correct nested JSON object.

Highlights

• JSON Parsing Error Fix: Addressed an IllegalStateException ('Not a JSON Object: []') occurring in ServerSecurityDatabaseUser.java when updating file access permissions, specifically triggered by Cypher MERGE operations creating new edge types.
• Corrected JSON Hierarchy Access: Modified the logic to correctly locate the 'typeName' within the 'types' sub-object of the 'defaultGroup' JSON, ensuring the security system retrieves type-specific configurations from the proper nested level.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• server/src/main/java/com/arcadedb/server/security/ServerSecurityDatabaseUser.java
  • Corrected the JSON path for retrieving type configuration from the 'defaultGroup' object by first accessing the 'types' sub-object.

Activity

• The pull request was created by ExtReMLapin to address issue Cypher : Weird Not a JSON Object: [] then "User 'root' is not allowed to create records on type 'causal_action' #3514, which involved an IllegalStateException during security configuration updates.
• The fix was implemented with assistance from an AI model, Qwen 3.5 27B, as noted in the PR description.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request fixes an IllegalStateException that occurs when updating security file access. The root cause was an incorrect lookup in a JSON structure, which is now corrected by accessing the nested 'types' object. The fix is correct and addresses the issue described. I have added one comment regarding a potential performance optimization by moving a repeated method call out of a loop.

[gemini-code-assist]

This call to defaultGroup.getJSONObject("types") is inside a loop (the for loop at line 185) and could be executed multiple times. For better performance, consider extracting this call out of the loop. You could define defaultGroupTypes once before the loop, for example around line 183 where defaultType is also derived from defaultGroup.

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for 6f03e3c.

🟢 All jobs passed!

But CI Insights is watching 👀

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.70%. Comparing base (b1d5780) to head (6f03e3c).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...db/server/security/ServerSecurityDatabaseUser.java	33.33%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3521      +/-   ##
==========================================
- Coverage   65.76%   65.70%   -0.06%     
==========================================
  Files        1471     1471              
  Lines      100150   100151       +1     
  Branches    20874    20874              
==========================================
- Hits        65860    65807      -53     
- Misses      25305    25328      +23     
- Partials     8985     9016      +31     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ExtReMLapin]

ref 6e10936