perf(APIv2): self-joining in aggregation with a reduced (pundit) scope

app/controllers/concerns/v2/resolver.rb

@@ -58,16 +58,26 @@ def join_aggregated(relation)
     # INNER JOIN (
     #   SELECT "resource"."id", AGG("association"."XY"), AGG("association"."XZ")
     #   FROM "resource" LEFT OUTER JOIN "association" ...
+    #   WHERE (#{aggregate_scope}) GROUP BY "resource"."id"
     # ) "aggregate_association" ON "aggregate_association"."id" = "resource"."id";
     # ```
     #
     def subquery_fragment(association, aliases)
       sq = resource.left_outer_joins(association)
                    .group(resource.primary_key)
                    .select(resource.primary_key, *aliases)
+                   .merge(aggregate_scope)
       resource.arel_self_join(sq.arel.as(association.to_s))
     end
 
+    # This is a hack to utilize a Pundit scope for an alternative resolution for aggregations.
+    # The default resolution is just `scope.all` but the `aggregate` method can be easily
+    # redefined on the given scopes to make lookups faster.
+    def aggregate_scope
+      policy = Pundit.policy(current_user, resource)
+      policy.class::Scope.new(current_user, resource).aggregate
+    end
+
     # Iterate through the (nested) fields to be selected and set their names accordingly
     # so it is understood by SQL. Furthermore, alias any field that is coming from a joined
     # table to avoid any possible hash key collision.

app/models/v2/system.rb

@@ -105,15 +105,15 @@ def self.first_group_name(table = arel_table)
 
     searchable_by :os_major_version, %i[eq neq in notin], except_parents: %i[policies reports] do |_key, op, val|
       {
-        conditions: os_major_versions(val.split(',').map(&:to_i), %w[IN =].include?(op)).arel
-                                                                                        .where_sql.sub(/^where /i, '')
+        conditions: unscoped.os_major_versions(val.split(',').map(&:to_i), %w[IN =].include?(op))
+                            .arel.where_sql.sub(/^where /i, '')
       }
     end
 
     searchable_by :os_minor_version, %i[eq neq in notin] do |_key, op, val|
       {
-        conditions: os_minor_versions(val.split(',').map(&:to_i), %w[IN =].include?(op)).arel
-                                                                                        .where_sql.sub(/^where /i, '')
+        conditions: unscoped.os_minor_versions(val.split(',').map(&:to_i), %w[IN =].include?(op)).arel
+                            .where_sql.sub(/^where /i, '')
       }
     end
 

app/policies/v2/application_policy.rb

@@ -56,6 +56,12 @@ def initialize(user, scope)
       def resolve
         scope.all
       end
+
+      # Redefine this method in subclasses if you want to limit the join scope for aggregations.
+      # This is not intended for limiting the user access, but to improve query performance.
+      def aggregate
+        scope.all
+      end
     end
   end
 end

app/policies/v2/system_policy.rb

@@ -45,6 +45,11 @@ def resolve
         user.cert_authenticated? ? resolve_cert_auth : resolve_regular
       end
 
+      # In aggregations, we should not join with all systems, so scoping them `org_id`
+      def aggregate
+        base_scope
+      end
+
       private
 
       def resolve_regular