🐛 fix: failed to load member filtering options

[deleteLater]

Users without CanManageIAM permission cannot load the member filtering options

[Copilot]

Pull request overview

Fixes member lookup/filtering failures for users without CanManageIAM by moving “member search/list” usage off the IAM-gated members API and onto organization-scoped endpoints, plus adjusts SSO org-selection flow and related UI.

Changes:

• Front-end: replace TeamService.search() / MemberService.getList() usage with OrganizationService.getMemberList() for member lookups in multiple screens.
• Back-end: add organization-scoped member list endpoint and refactor organization listing to be workspace-scoped (GetUserOrganizationsAsync).
• Cleanup/UI: remove TeamService, introduce loading spinner on org selection, and update a few localization strings/line mappings.

Reviewed changes

Copilot reviewed 32 out of 32 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
modules/front-end/src/styles/nz-select.less	Removes a multiple-select placeholder top-margin override.
modules/front-end/src/locale/messages.zh.xlf	Updates source line references; minor string casing update.
modules/front-end/src/locale/messages.xlf	Updates source line references; minor string casing update.
modules/front-end/src/app/features/safe/select-organization/select-organization.module.ts	Adds NzSpinModule to support loading spinner.
modules/front-end/src/app/features/safe/select-organization/select-organization.component.ts	Adds loading state; switches SSO flow to addMember and navigates after success.
modules/front-end/src/app/features/safe/select-organization/select-organization.component.less	Adds styling for loading container/spinner.
modules/front-end/src/app/features/safe/select-organization/select-organization.component.html	Shows spinner while switching org/adding member.
modules/front-end/src/app/features/safe/integrations/access-tokens/index/index.component.ts	Uses org-scoped member list for creator search (instead of removed TeamService).
modules/front-end/src/app/features/safe/iam/types/member.ts	Adds AddMemberPayload type used by member/org services.
modules/front-end/src/app/features/safe/iam/team/index/index.component.ts	Removes unused imports/injections (Router/encode helper).
modules/front-end/src/app/features/safe/iam/team/index/index.component.html	Updates “Remove from organization” casing.
modules/front-end/src/app/features/safe/feature-flags/details/audit-logs/audit-logs.component.ts	Formatting-only constructor simplification.
modules/front-end/src/app/core/services/team.service.ts	Deletes TeamService (replaced by org-scoped member list).
modules/front-end/src/app/core/services/organization.service.ts	Adds addMember + getMemberList (org-scoped member lookup).
modules/front-end/src/app/core/services/member.service.ts	Adds addMember against members API.
modules/front-end/src/app/core/services/broadcast.service.ts	Removes unused pathname destructuring.
modules/front-end/src/app/core/components/metric-drawer/metric-drawer.component.ts	Uses org-scoped member list for maintainer search.
modules/front-end/src/app/core/components/member-drawer/member-drawer.component.ts	Uses MemberService.addMember instead of organization “add-user”.
modules/front-end/src/app/core/components/change-review/change-review.component.ts	Uses org-scoped member list for reviewer search; replaces BehaviorSubject with Subject.
modules/front-end/src/app/core/components/audit-logs/audit-logs.component.ts	Uses org-scoped member list for member filter/search.
modules/back-end/src/Infrastructure/Services/MongoDb/OrganizationService.cs	Renames org list method and scopes by workspace; removes unused remove-user method.
modules/back-end/src/Infrastructure/Services/EntityFrameworkCore/OrganizationService.cs	Same as MongoDB implementation.
modules/back-end/src/Application/Services/IOrganizationService.cs	Renames org list method signature; removes remove-user API.
modules/back-end/src/Application/Organizations/RemoveMember.cs	Removes obsolete remove-user request/handler.
modules/back-end/src/Application/Organizations/GetOrganizationList.cs	Uses workspace-scoped org listing; minor handler refactor.
modules/back-end/src/Application/Members/RemoveFromWorkspace.cs	Removes member from orgs only within current workspace.
modules/back-end/src/Application/Members/RemoveFromOrganization.cs	Minor handler refactor.
modules/back-end/src/Application/Members/AddMember.cs	Renames/moves AddUser → AddMember; retains “default permissions if none provided”.
modules/back-end/src/Api/Swagger/WorkspaceHeaderParameter.cs	Updates Swagger description for workspace header.
modules/back-end/src/Api/Swagger/OrganizationHeaderParameter.cs	Updates Swagger description for org header.
modules/back-end/src/Api/Controllers/OrganizationController.cs	Adds /members endpoint and renames add-user route to /add-member.
modules/back-end/src/Api/Controllers/MemberController.cs	Adds members POST /add endpoint (IAM-gated controller) and trims redundant remarks.

Comments suppressed due to low confidence (1)

modules/back-end/src/Application/Members/AddMember.cs:90

• AddMemberHandler performs no authorization checks and can register/invite arbitrary emails into an organization. With the new unauthenticated-by-permission OrganizationController routes calling this handler, this becomes an escalation path.

Consider splitting the use cases: keep an admin-only “add member” command (requires CanManageIAM) and introduce a separate, tightly-scoped “self join organization” flow for SSO first login that only allows adding the current user to an organization (and validates workspace/org membership constraints).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 35 out of 35 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (1)

modules/front-end/src/app/core/components/audit-logs/audit-logs.component.ts:103

• The error toast still says "Failed to load team members" even though the data is now fetched via OrganizationService.getMemberList (organization members). This message is user-facing and should match the current domain terminology.

Update the localized message string (and/or its i18n id if appropriate) to avoid confusion.

    this.organizationService.getMemberList(new MemberFilter(query ?? '')).subscribe({
      next: (members) => {
        this.memberListModel = members;
        this.membersLoading = false;
      },
      error: () => {
        this.msg.error($localize `:@@auditlogs.idx.failed-to-load-members:Failed to load team members`);
        this.membersLoading = false;

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.