Skip to content

Restrict User Info endpoints to specific roles #382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 5, 2025
Merged

Restrict User Info endpoints to specific roles #382

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
18e75dc
Restrict user info routes to a VIEW_USER_INFO role
devksingh4 Nov 5, 2025
5fbd305
Cleanup roles
devksingh4 Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion src/api/routes/user.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
import { QueryCommand } from "@aws-sdk/client-dynamodb";
import { genericConfig } from "common/config.js";
import { unmarshall } from "@aws-sdk/util-dynamodb";
import { AppRoles } from "common/roles.js";

const userRoute: FastifyPluginAsync = async (fastify, _options) => {
await fastify.register(rateLimiter, {
Expand All @@ -29,7 +30,11 @@ const userRoute: FastifyPluginAsync = async (fastify, _options) => {
"/findUserByUin",
{
schema: withRoles(
[],
[
AppRoles.VIEW_USER_INFO,
AppRoles.TICKETS_MANAGER,
AppRoles.TICKETS_SCANNER,
],
withTags(["Generic"], {
summary: "Find a user by UIN.",
body: searchUserByUinRequest,
Expand Down
19 changes: 14 additions & 5 deletions src/common/roles.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ import { AllOrganizationNameList } from "@acm-uiuc/js-shared";
/* eslint-disable import/prefer-default-export */
export const runEnvironments = ["dev", "prod"] as const;
export type RunEnvironment = (typeof runEnvironments)[number];
export enum AppRoles {
export const META_ROLE_PREFIX = "__metaRole:"
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Add missing semicolon.

The statement is missing a semicolon, which will cause prettier/ESLint failures.

Apply this diff:

-export const META_ROLE_PREFIX = "__metaRole:"
+export const META_ROLE_PREFIX = "__metaRole:";
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
export const META_ROLE_PREFIX = "__metaRole:"
export const META_ROLE_PREFIX = "__metaRole:";
🧰 Tools
🪛 ESLint

[error] 6-6: Insert ;

(prettier/prettier)

🤖 Prompt for AI Agents 
In src/common/roles.ts around line 6, the exported constant declaration lacks a
trailing semicolon causing lint/prettier failures; add a semicolon to the end of
the line so the statement reads with a terminating semicolon.


export enum BaseRoles {
EVENTS_MANAGER = "manage:events",
TICKETS_SCANNER = "scan:tickets",
TICKETS_MANAGER = "manage:tickets",
Expand All @@ -21,19 +23,25 @@ export enum AppRoles {
VIEW_EXTERNAL_MEMBERSHIP_LIST = "view:externalMembershipList",
MANAGE_EXTERNAL_MEMBERSHIP_LIST = "manage:externalMembershipList",
ALL_ORG_MANAGER = "manage:orgDefinitions",
AT_LEAST_ONE_ORG_MANAGER = "manage:someOrg" // THIS IS A FAKE ROLE - DO NOT ASSIGN IT MANUALLY - only used for permissioning
VIEW_USER_INFO = "view:userInfo",
}

export enum MetaRoles {
AT_LEAST_ONE_ORG_MANAGER = `${META_ROLE_PREFIX}manage:someOrg`,
}
export const PSUEDO_ROLES = [AppRoles.AT_LEAST_ONE_ORG_MANAGER]

export const AppRoles = { ...BaseRoles, ...MetaRoles } as const;
export type AppRoles = BaseRoles | MetaRoles;
export const orgRoles = ["LEAD", "MEMBER"] as const;
export type OrgRole = typeof orgRoles[number];
export type OrgRoleDefinition = {
org: typeof AllOrganizationNameList[number],
role: OrgRole
}
Comment on lines 36 to 40
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix formatting issues in type definitions.

Multiple formatting issues that will cause prettier/ESLint failures.

Apply this diff:

-export type OrgRole = typeof orgRoles[number];
+export type OrgRole = (typeof orgRoles)[number];
 export type OrgRoleDefinition = {
-  org: typeof AllOrganizationNameList[number],
-  role: OrgRole
-}
+  org: (typeof AllOrganizationNameList)[number];
+  role: OrgRole;
+};
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
export type OrgRole = typeof orgRoles[number];
export type OrgRoleDefinition = {
org: typeof AllOrganizationNameList[number],
role: OrgRole
}
export type OrgRole = (typeof orgRoles)[number];
export type OrgRoleDefinition = {
org: (typeof AllOrganizationNameList)[number];
role: OrgRole;
};
🧰 Tools
🪛 ESLint

[error] 36-36: Replace typeof·orgRoles with (typeof·orgRoles)

(prettier/prettier)

[error] 38-38: Replace typeof·AllOrganizationNameList[number], with (typeof·AllOrganizationNameList)[number];

(prettier/prettier)

[error] 39-39: Insert ;

(prettier/prettier)

[error] 40-40: Insert ;

(prettier/prettier)

🤖 Prompt for AI Agents 
In src/common/roles.ts around lines 36 to 40, the OrgRoleDefinition type is
incorrectly formatted (uses commas and inconsistent punctuation) which triggers
prettier/ESLint errors; update the type to use proper TypeScript punctuation and
consistent spacing by replacing the commas with semicolons and ensuring the
object type ends with a semicolon (i.e., "org: typeof
AllOrganizationNameList[number]; role: OrgRole;") and keep the export lines
properly terminated.


export const allAppRoles = Object.values(AppRoles).filter(
export const allAppRoles = Object.values(BaseRoles).filter(
(value) => typeof value === "string",
).filter(value => !PSUEDO_ROLES.includes(value)); // don't assign psuedo roles by default
);

export const AppRoleHumanMapper: Record<AppRoles, string> = {
[AppRoles.EVENTS_MANAGER]: "Events Manager",
Expand All @@ -54,4 +62,5 @@ export const AppRoleHumanMapper: Record<AppRoles, string> = {
[AppRoles.MANAGE_EXTERNAL_MEMBERSHIP_LIST]: "External Membership List Manager",
[AppRoles.ALL_ORG_MANAGER]: "Organization Definition Manager",
[AppRoles.AT_LEAST_ONE_ORG_MANAGER]: "Manager of at least one org",
[AppRoles.VIEW_USER_INFO]: "User Information Viewer"
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Add missing trailing comma.

The last entry in the AppRoleHumanMapper object is missing a trailing comma, which will cause prettier/ESLint failures.

Apply this diff:

-  [AppRoles.VIEW_USER_INFO]: "User Information Viewer"
+  [AppRoles.VIEW_USER_INFO]: "User Information Viewer",
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
[AppRoles.VIEW_USER_INFO]: "User Information Viewer"
[AppRoles.VIEW_USER_INFO]: "User Information Viewer",
🧰 Tools
🪛 ESLint

[error] 65-65: Insert ,

(prettier/prettier)

🤖 Prompt for AI Agents 
In src/common/roles.ts around line 65, the AppRoleHumanMapper object's final
entry "[AppRoles.VIEW_USER_INFO]: "User Information Viewer"" is missing a
trailing comma; add a trailing comma at the end of that line so the object ends
with a comma to satisfy Prettier/ESLint formatting rules.

}
Loading