User Service: Prevent fetching all permissions when no IDs are provided

[krebil]

Ensures that the UserService does not attempt to fetch permissions when the provided ID collection is empty, avoiding potentially expensive database queries that could return permissions for all nodes.

Prerequisites

• I have added steps to test this contribution in the description below

fixes #22415

Description

Ensure that userservice does not get permissions for all CMS content when no entities are provided. This has been observed when the backoffice calls /umbraco/management/api/v1/tree/document/root?skip=0&take=0 which should be a simple count query.

To test set up an Umbraco solution and see that the backoffice no longer slows down significantly depending on the amount of content items. If you are testing locally you may need a significant amount of content to see a meaningful change, but in a multi-editor environment it should be easy to see the difference.

[github-actions]

Hi there @krebil, thank you for this contribution! 👍

While we wait for one of the Core Collaborators team to have a look at your work, we wanted to let you know about that we have a checklist for some of the things we will consider during review:

• It's clear what problem this is solving, there's a connected issue or a description of what the changes do and how to test them
• The automated tests all pass (see "Checks" tab on this PR)
• The level of security for this contribution is the same or improved
• The level of performance for this contribution is the same or improved
• Avoids creating breaking changes; note that behavioral changes might also be perceived as breaking
• If this is a new feature, Umbraco HQ provided guidance on the implementation beforehand
• 💡 The contribution looks original and the contributor is presumably allowed to share it

Don't worry if you got something wrong. We like to think of a pull request as the start of a conversation, we're happy to provide guidance on improving your contribution.

If you realize that you might want to make some changes then you can do that by adding new commits to the branch you created for this work and pushing new commits. They should then automatically show up as updates to this pull request.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[krebil]

I've added the shorcircuit to media for consistency even though I have not observed any problems with media permission.

I see that when creating the ID's fail it will return without closing the scope, so I've done the same. I'm not entirely sure that is correct. So let me know if I should change that.

[Copilot]

Pull request overview

Updates UserService permission retrieval to short-circuit when no entity keys are provided, preventing potentially expensive permission queries that could unintentionally target “all nodes” scenarios (as observed via backoffice tree requests with take=0).

Changes:

• Return early with an empty permission result when the resolved key→id map is empty for media permissions.
• Return early with an empty permission result when the resolved key→id map is empty for document permissions.

[AndyButland]

Thanks @krebil. I tweaked the solution a bit just to move the fix into a common private methods, shared between documents and media, and have added an integration test to verify the fix.

[krebil]

All good, thanks for having a look so fast @AndyButland