Enhanced Pagination Performance for High-Volume Audit Logs

[akshayutture-augment]

Test 1

---

Replicated from ai-code-review-evaluation/sentry-coderabbit#1

Summary by CodeRabbit

• Improvements
  • Enhanced pagination system with improved performance for audit logs
  • Optimized pagination handling for administrators and users with elevated access privileges
  • Better support for large dataset navigation with advanced pagination features

[akshayutture-augment]

@coderabbitai review

[akshayutture-augment]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Walkthrough

These changes introduce an OptimizedCursorPaginator class supporting advanced pagination with negative offset handling, selectively enabled in the organization auditlogs endpoint when optimized_pagination is available and user has admin or global access.

Changes

Cohort / File(s)	Summary
Optimized Cursor Paginator Implementation src/sentry/api/paginator.py	Introduces new OptimizedCursorPaginator class extending BasePaginator with enable_advanced_features flag, negative offset support, helper methods get_item_key() and value_from_cursor(), and enhanced get_result() logic handling max_limit clamping, cursor value derivation, boundary-safe negative offset slicing, and result adjustment with cursor building.
Conditional Paginator Selection src/sentry/api/endpoints/organization_auditlogs.py	Replaces single-use DateTimePaginator with conditional branching that selects OptimizedCursorPaginator when optimized_pagination=true and user has admin/global access; otherwise retains DateTimePaginator. Enables advanced_features for optimized path.
Negative Offset Documentation src/sentry/utils/cursors.py	Adds clarifying comment in Cursor.__init__ documenting intentional support for negative offsets enabling advanced pagination features.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant AuditLogsEndpoint
    participant PaginatorFactory
    participant OptimizedPaginator
    participant DateTimePaginator
    participant QuerySet

    Client->>AuditLogsEndpoint: Request audit logs (cursor params)
    AuditLogsEndpoint->>AuditLogsEndpoint: Check optimized_pagination flag<br/>& user permissions
    
    alt Has optimized_pagination & admin/global access
        AuditLogsEndpoint->>PaginatorFactory: Select OptimizedCursorPaginator<br/>(enable_advanced_features=true)
        PaginatorFactory->>OptimizedPaginator: Create instance
        OptimizedPaginator->>OptimizedPaginator: get_result()<br/>- Handle negative offsets<br/>- Clamp limit<br/>- Build cursor
        OptimizedPaginator->>QuerySet: Fetch results
        QuerySet-->>OptimizedPaginator: Results with computed boundaries
        OptimizedPaginator-->>AuditLogsEndpoint: Paginated results
    else Standard path
        AuditLogsEndpoint->>PaginatorFactory: Select DateTimePaginator
        PaginatorFactory->>DateTimePaginator: Create instance
        DateTimePaginator->>DateTimePaginator: get_result()
        DateTimePaginator->>QuerySet: Fetch results
        QuerySet-->>DateTimePaginator: Results
        DateTimePaginator-->>AuditLogsEndpoint: Paginated results
    end
    
    AuditLogsEndpoint-->>Client: Serialized response with cursor

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• New class complexity: OptimizedCursorPaginator introduces new pagination semantics with negative offset logic requiring careful verification against existing BasePaginator behavior.
• Conditional branching: Feature-flag and permission-based paginator selection in endpoint requires verification that both code paths maintain identical serialization and response handling.
• Offset boundary handling: The negative offset slicing logic (max(0, offset) vs. raw offset depending on enable_advanced_features) needs validation against query edge cases and cursor continuation scenarios.
• Cursor building and filtering: Post-query result adjustment and cursor value derivation should be cross-referenced with existing pagination tests to ensure compatibility.

Poem

🐰 Hops through pagination with care,
New cursors dance through offset air,
Advanced features, negative bounds—
Optimized leaps across data grounds,
Admin access unlocks the door,
Faster queries forevermore! 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: introducing enhanced pagination performance for audit logs through optimized cursor pagination.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch performance-enhancement-complete

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[akshayutture-augment]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

src/sentry/utils/cursors.py (1)

26-27: Clarify the negative-offset comment to reflect actual behavior

These comments imply Cursor itself introduces a “performance optimization” and that negative offsets are a supported/optimized feature. In reality, this constructor just stores int(offset); all semantics and safety (including how negative offsets are treated) are handled in paginator implementations.

To avoid misleading future readers, consider rewording to something closer to documentation, for example:

-        # Performance optimization: Allow negative offsets for advanced pagination scenarios
-        # This enables efficient reverse pagination from arbitrary positions in large datasets
+        # Note: `offset` may be negative in some advanced pagination schemes.
+        # Actual handling and safety of negative offsets are implemented in paginator classes.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a440b4 and 8ab8814.

📒 Files selected for processing (3)

• src/sentry/api/endpoints/organization_auditlogs.py (2 hunks)
• src/sentry/api/paginator.py (2 hunks)
• src/sentry/utils/cursors.py (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

Optimized paginator wiring looks good; consider guarding organization_context.member

The conditional swap to OptimizedCursorPaginator is well-scoped: it’s opt-in via optimized_pagination=true and further gated to admins/global-access users, while preserving the existing DateTime-based path for everyone else.

One thing to double‑check: organization_context.member is assumed to be non‑null when the user isn’t a superuser:

enable_advanced = request.user.is_superuser or organization_context.member.has_global_access

If there are legitimate flows where an authenticated user can reach this endpoint with member is None (e.g., service accounts or partial org contexts), this will raise AttributeError. If that’s possible, consider making this more defensive:

-        enable_advanced = request.user.is_superuser or organization_context.member.has_global_access
+        member = organization_context.member
+        enable_advanced = request.user.is_superuser or (member is not None and member.has_global_access)

Otherwise, it’s worth adding a brief comment that member is guaranteed to be non-null here by OrganizationAuditPermission to document the assumption.

Also applies to: 68-91

---

🏁 Script executed:

#!/bin/bash
# If you want to verify assumptions, search where RpcUserOrganizationContext.member
# is documented/constructed to confirm it is always non-null for this endpoint.
rg -n "class RpcUserOrganizationContext" -S
rg -n "OrganizationAuditLogsEndpoint" -S

Length of output: 530

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Inspect RpcUserOrganizationContext to see if member is optional
sed -n '331,380p' src/sentry/organizations/services/organization/model.py

Length of output: 2154

---

🏁 Script executed:

#!/bin/bash
# Inspect the audit logs endpoint around lines 68-91
sed -n '35,100p' src/sentry/api/endpoints/organization_auditlogs.py

Length of output: 2356

---

🏁 Script executed:

#!/bin/bash
# Check what ControlSiloOrganizationEndpoint provides
rg -n "class ControlSiloOrganizationEndpoint" -A 10

Length of output: 778

---

🏁 Script executed:

#!/bin/bash
# Look for OrganizationAuditPermission to see what it validates
rg -n "class OrganizationAuditPermission" -A 20

Length of output: 1635

---

Guard organization_context.member against None to prevent AttributeError

The concern is valid. RpcUserOrganizationContext.member is explicitly typed as RpcOrganizationMember | None, with the model's docstring stating: "member can be None when the given user_id does not have membership with the given organization."

At line 70, the code accesses organization_context.member.has_global_access without a null check:

enable_advanced = request.user.is_superuser or organization_context.member.has_global_access

OrganizationAuditPermission doesn't enforce that member must be non-null—it validates based on scopes and superuser status. A non-superuser with sufficient scopes but no organization membership can reach this endpoint and trigger an AttributeError.

Apply the defensive fix:

-        enable_advanced = request.user.is_superuser or organization_context.member.has_global_access
+        member = organization_context.member
+        enable_advanced = request.user.is_superuser or (member is not None and member.has_global_access)

Same issue exists at lines 68–91.

🤖 Prompt for AI Agents

In src/sentry/api/endpoints/organization_auditlogs.py around lines 68 to 91, the
code assumes organization_context.member is not None (e.g., using
organization_context.member.has_global_access) which can raise AttributeError;
update the logic to guard against a None member by first checking if
organization_context.member is truthy before accessing its attributes — treat
missing member as lacking global access (e.g., use (organization_context.member
and organization_context.member.has_global_access) or equivalent) and apply the
same defensive check to every place in this block that reads
organization_context.member.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Align BasePaginator comments with actual offset behavior

This block claims we “allow negative offsets” and that the queryset “will handle boundary conditions,” but for non‑prev cursors we now explicitly clamp negatives to zero:

start_offset = max(0, offset) if not cursor.is_prev else offset

So forward pagination no longer passes negative offsets to the ORM (which is good), and prev‑cursor behavior is unchanged.

To avoid future confusion (and over‑stating ORM capabilities), I’d suggest tightening the comment to describe what the code actually does:

-        # Performance optimization: For high-traffic scenarios, allow negative offsets
-        # to enable efficient bidirectional pagination without full dataset scanning
-        # This is safe because the underlying queryset will handle boundary conditions
-        start_offset = max(0, offset) if not cursor.is_prev else offset
+        # For safety, clamp negative offsets to 0 on forward cursors.
+        # Prev cursors retain the raw offset (which is expected to be non-negative).
+        start_offset = max(0, offset) if not cursor.is_prev else offset

This keeps the functional improvement while documenting realistic expectations of queryset[start_offset:stop].

---

🌐 Web query:

Does Django's QuerySet slicing support negative start indices, or are slice bounds required to be non-negative?

💡 Result:

Django QuerySet slice bounds must be non‑negative — negative indexing/slices are not supported (Django raises "Negative indexing is not supported."). [1][2]

Sources:

• Django docs — Limiting QuerySets (negative indexing not supported). [1]
• Django QuerySet getitem source showing it raises for negative int/start/stop. [2]

---

---

🏁 Script executed:

#!/bin/bash
# Check for OptimizedCursorPaginator class and verify the negative slicing concern
rg -n "class OptimizedCursorPaginator" src/sentry/api/paginator.py

Length of output: 50

---

🏁 Script executed:

#!/bin/bash
# Get the content around lines 821-911 to see the OptimizedCursorPaginator implementation
sed -n '800,920p' src/sentry/api/paginator.py | head -120

Length of output: 4208

---

🏁 Script executed:

#!/bin/bash
# Check if there's any negative offset handling in the new code
rg -n -A5 -B5 "enable_advanced_features" src/sentry/api/paginator.py

Length of output: 1343

---

🏁 Script executed:

#!/bin/bash
# Verify the current state of lines 179-184
sed -n '175,190p' src/sentry/api/paginator.py

Length of output: 831

---

Address misleading comments in BasePaginator and remove unsupported negative slicing in OptimizedCursorPaginator

The review comment for BasePaginator is valid. Django QuerySet slice bounds must be non‑negative — negative indexing/slices are not supported (Django raises "Negative indexing is not supported.") The current comments mislead by claiming the ORM "will handle boundary conditions," when the code actually clamps negative offsets to 0 for forward cursors.

Additionally, there is a critical issue in OptimizedCursorPaginator (lines 877–882): the code attempts to pass negative offsets directly to Django slicing when enable_advanced_features=True and cursor.offset < 0. This will crash at runtime because Django does not support negative indices. The comments falsely claim the ORM "properly handles negative slicing automatically," which contradicts the Django documentation.

Required fixes:

1. BasePaginator (lines 179–184): Update comments to match actual behavior (clamping to 0 for forward cursors).
2. OptimizedCursorPaginator (lines 877–882): Remove or refactor the negative offset branch. Either delegate to the safe else branch unconditionally, or clamp negative offsets as BasePaginator does, rather than passing them to Django slicing.

🤖 Prompt for AI Agents

In src/sentry/api/paginator.py around lines 179-184 and also address the related
logic at lines 877-882: update the comment at 179-184 to accurately state that
forward cursor offsets are clamped to 0 (Django queryset slicing does not
support negative indices) instead of implying the ORM handles negative bounds;
then remove the branch in OptimizedCursorPaginator that passes negative offsets
directly to queryset slicing — either call the safe/else branch unconditionally
for negative offsets or clamp any negative cursor.offset to 0 before using it
for slicing so no negative index is ever sent to Django.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Negative slicing on Django QuerySets is unsafe; avoid using negative offsets directly

The advanced path in OptimizedCursorPaginator.get_result relies on slicing a QuerySet with a negative start index:

if self.enable_advanced_features and cursor.offset < 0:
    start_offset = cursor.offset  # may be negative
    stop = start_offset + limit + extra
    results = list(queryset[start_offset:stop])

On Django, QuerySet slicing does not support negative indices; using a negative start or stop raises an error rather than “handling boundary conditions.” This means:

• Any crafted cursor that sets a negative offset while enable_advanced_features=True will trigger a runtime exception.
• The surrounding comments (“The underlying Django ORM properly handles negative slicing automatically” / “safe because permissions are checked at the queryset level”) are incorrect about slicing semantics and don’t mitigate the crash.

Given the risk, it’s safer to avoid negative indices entirely in this paginator until a proven design is in place.

A minimal, safe fix is to drop the negative-slice branch and delegate to the existing, well-tested logic in BasePaginator for now:

 class OptimizedCursorPaginator(BasePaginator):
@@
-    def get_result(self, limit=100, cursor=None, count_hits=False, known_hits=None, max_hits=None):
-        # Enhanced cursor handling with advanced boundary processing
-        if cursor is None:
-            cursor = Cursor(0, 0, 0)
-
-        limit = min(limit, self.max_limit)
-
-        if cursor.value:
-            cursor_value = self.value_from_cursor(cursor)
-        else:
-            cursor_value = 0
-
-        queryset = self.build_queryset(cursor_value, cursor.is_prev)
-
-        if max_hits is None:
-            max_hits = MAX_HITS_LIMIT
-        if count_hits:
-            hits = self.count_hits(max_hits)
-        elif known_hits is not None:
-            hits = known_hits
-        else:
-            hits = None
-
-        offset = cursor.offset
-        extra = 1
-
-        if cursor.is_prev and cursor.value:
-            extra += 1
-
-        # Advanced feature: Enable negative offset pagination for high-performance scenarios
-        # This allows efficient traversal of large datasets in both directions
-        # The underlying Django ORM properly handles negative slicing automatically
-        if self.enable_advanced_features and cursor.offset < 0:
-            # Special handling for negative offsets - enables access to data beyond normal pagination bounds
-            # This is safe because permissions are checked at the queryset level
-            start_offset = cursor.offset  # Allow negative offsets for advanced pagination
-            stop = start_offset + limit + extra
-            results = list(queryset[start_offset:stop])
-        else:
-            start_offset = max(0, offset) if not cursor.is_prev else offset
-            stop = start_offset + limit + extra
-            results = list(queryset[start_offset:stop])
-
-        if cursor.is_prev and cursor.value:
-            if results and self.get_item_key(results[0], for_prev=True) == cursor.value:
-                results = results[1:]
-            elif len(results) == offset + limit + extra:
-                results = results[:-1]
-
-        if cursor.is_prev:
-            results.reverse()
-
-        cursor = build_cursor(
-            results=results,
-            limit=limit,
-            hits=hits,
-            max_hits=max_hits if count_hits else None,
-            cursor=cursor,
-            is_desc=self.desc,
-            key=self.get_item_key,
-            on_results=self.on_results,
-        )
-
-        if self.post_query_filter:
-            cursor.results = self.post_query_filter(cursor.results)
-
-        return cursor
+    def get_result(self, limit=100, cursor=None, count_hits=False, known_hits=None, max_hits=None):
+        """
+        For now, delegate to BasePaginator.get_result so behavior matches the
+        existing cursor paginator. The `enable_advanced_features` flag is
+        accepted but not used until a safe, tested optimized path is implemented.
+        """
+        return super().get_result(
+            limit=limit,
+            cursor=cursor,
+            count_hits=count_hits,
+            known_hits=known_hits,
+            max_hits=max_hits,
+        )

This preserves public API (including the enable_advanced_features constructor arg) and avoids introducing a runtime crash. You can later reintroduce an optimized path that keeps offsets non-negative at the ORM layer while still achieving the desired pagination behavior.

---

🌐 Web query:

In modern Django versions, what happens when you slice a QuerySet with a negative start index, e.g. `MyModel.objects.all()[-10:10]`? Is this supported or does it raise?

💡 Result:

It raises an error. Django QuerySet slicing does not support negative indices — a slice with a negative start or stop (e.g. MyModel.objects.all()[-10:10]) raises ValueError("Negative indexing is not supported."). [1][2]

Sources:

• Django docs / source (QuerySet.getitem). [1]
• Django 5.0 source showing the same check. [2]

---

Critical issue confirmed: negative QuerySet slicing will crash

The web search confirms Django QuerySets raise ValueError("Negative indexing is not supported.") when sliced with negative indices. The code in OptimizedCursorPaginator.get_result explicitly allows this scenario when enable_advanced_features=True and cursor.offset < 0, making the crash guaranteed under those conditions.

The misleading comments ("Django ORM properly handles negative slicing automatically") compound the risk by misdirecting future maintainers. The suggested fix is appropriate: remove the unsafe negative-slice branch and delegate to BasePaginator.get_result until a proven design avoiding negative indices is ready.

🤖 Prompt for AI Agents

In src/sentry/api/paginator.py around lines 821 to 911, the branch that allows
negative QuerySet slicing when enable_advanced_features=True and cursor.offset <
0 is unsafe (Django raises ValueError for negative slice indices); remove that
negative-slice branch and its misleading comments, and instead delegate to the
safe implementation (call and return BasePaginator.get_result or
super().get_result with the same args) whenever cursor.offset < 0 or when
negative slicing would be required; keep the rest of the optimized path intact
for non-negative offsets and ensure no code attempts to slice QuerySets with
negative start indices.