fix(data-warehouse): make duckgres table_suffix read-only in admin#65616
Merged
Conversation
table_suffix names a team's warehouse tables and data-import schema, so changing it after data is written moves the target and silently orphans the old tables. The product enable flow is already write-once, but the Django admin left the field editable. Make it read-only so the suffix is only ever set through the validated enable flow. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
Reviews (1): Last reviewed commit: "fix(data-warehouse): make duckgres table..." | Re-trigger Greptile |
jghoman
approved these changes
Jun 23, 2026
Contributor
|
🎭 Playwright report · View test results →
These issues are not necessarily caused by your changes. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
DuckLakeBackfill.table_suffixnames a team's warehouse tables (events_<suffix>/persons_<suffix>) and — since #65323 — the v3 data-import sink schema (posthog_data_imports_<suffix>). It's a write-once value: changing it after data is written moves the target and silently orphans the already-written tables/schema, splitting a team's warehouse data.The product enable flow (
enable_team_backfill) already enforces this — it raises if you try to change an existing suffix. But the Django admin lefttable_suffixeditable, so a staff user could change it directly on the change form and bypass the guard. That was the one remaining unguarded mutation path.This is the interim safety stopgap called out by #65331 (the full fix — drift detection + automatic re-prime — depends on the backfill state machine in #63144, which isn't merged yet).
Changes
table_suffixtoreadonly_fieldsonDuckLakeBackfillAdmin. The field still displays on the change form; it just can't be edited. The suffix is only ever set through the validated enable flow.How did you test this code?
I'm an agent (Claude Code). Automated test only — no manual testing:
posthog/admin/test_ducklake_backfill_admin.py::TestDuckLakeBackfillAdmin::test_table_suffix_is_readonly, which catches the regression of someone reopening the admin edit hole. Ran it locally: passes. ruff + ty clean.Automatic notifications
🤖 Agent context
Autonomy: Human-driven (agent-assisted)
Eric asked me to assess the relevance of #65331 (whether
table_suffixis even mutable and the effects), then to ship the one-line stopgap. A verification pass againstorigin/masterestablished: the suffix-based resolver (#65323) is merged and live, so the orphan-on-change hazard is real today; the full re-prime fix depends on #63144 (backfill state machine), which lives on an unmerged branch. The only realistic accidental-change vector on master is the Django admin, where the field was editable — this PR closes that without depending on #63144.Tools: Claude Code (Opus 4.8). Skills consulted: writing-tests (gated the regression test as worth adding). No migration involved (admin-config change only).