fix: enforce organization affiliation policy during role moves (CM-1132)#4079
Merged
fix: enforce organization affiliation policy during role moves (CM-1132)#4079
Conversation
Signed-off-by: Yeganathan S <63534555+skwowet@users.noreply.github.com>
Signed-off-by: Yeganathan S <63534555+skwowet@users.noreply.github.com>
…ole merge Signed-off-by: Yeganathan S <63534555+skwowet@users.noreply.github.com>
skwowet
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates merge/unmerge flows and various ingestion paths to consistently enforce organization affiliation policy (organizations.isAffiliationBlocked) by fetching policies in bulk and applying affiliation override updates when member-organization roles are created or moved.
Changes:
- Replace single-org / set-based policy checks with
fetchManyOrganizationAffiliationPolicies()returning aMap<orgId, isBlocked>. - Enforce affiliation policy when moving roles during org/member merge flows, and propagate a
shouldRecalculateAffiliationssignal to the org-merge Temporal workflow. - Apply policy-based
allowAffiliation=falseoverrides in several role-creation paths (enrichment, stint inference, API create, scripts) using batched policy fetches.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| services/libs/data-access-layer/src/members/organizations.ts | Introduces bulk policy fetch Map and applies policy-aware override handling during role moves/merges (also returns recalc hint). |
| services/libs/common_services/src/services/member/unmerge.ts | Restores org-level policy blocks when re-adding roles on member unmerge. |
| services/libs/common_services/src/services/common.member.service.ts | Switches role creation policy check to the new bulk-fetch helper. |
| services/apps/members_enrichment_worker/src/activities/enrichment.ts | Batches policy fetch and batches override writes for enrichment-updated roles. |
| services/apps/entity_merging_worker/src/workflows/all.ts | Renames/repurposes org-merge workflow flag to shouldRecalculateAffiliations. |
| services/apps/data_sink_worker/src/service/organization.service.ts | Uses new bulk policy fetch to decide which new roles get overrides. |
| services/apps/cron_service/src/jobs/inferMemberOrganizationStintChanges.job.ts | Uses new bulk policy fetch for EMAIL_DOMAIN-created roles. |
| backend/src/services/organizationService.ts | Consumes shouldRecalculateAffiliations from role moves and passes it to the Temporal workflow; removes direct org-wide policy application in merge flow. |
| backend/src/services/member/memberOrganizationsService.ts | Switches role creation policy check to the new bulk-fetch helper. |
| backend/src/bin/scripts/backfill-email-domain-member-organization-dates.ts | Switches to new bulk-fetch helper when applying policy overrides during backfill. |
| backend/src/api/public/v1/members/work-experiences/createMemberWorkExperience.ts | Switches role creation policy check to the new bulk-fetch helper. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 1160206. Configure here.
Signed-off-by: Yeganathan S <63534555+skwowet@users.noreply.github.com>
epipav
pushed a commit
that referenced
this pull request
May 7, 2026
…32) (#4079) Signed-off-by: Yeganathan S <63534555+skwowet@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
fetchManyOrganizationAffiliationPolicies.allowAffiliation = falseoverrides from leaking when moving roles into an unblocked org, while preserving manual blocks and primary work experience.Note
Medium Risk
Changes merge/unmerge role-movement logic and when affiliation overrides are created/retained, which can impact downstream affiliation recalculation and activity/org attribution. Risk is moderated by being mostly policy-check refactors plus more explicit override resolution, but it touches core merge flows and background workflows.
Overview
Ensures organization-level affiliation blocking is consistently enforced whenever member-organization roles are created or moved, including member/org merge and member unmerge flows, while avoiding stale policy-driven
allowAffiliation=falseoverrides leaking into unblocked orgs.Replaces per-org/set-based policy checks with a batched
fetchManyOrganizationAffiliationPoliciesAPI (returning aMap<orgId, boolean>) and updates callers across API handlers, jobs/scripts, enrichment, and workers.Refactors role move/merge logic to compute overrides based on target org policy, preserve manual row-level blocks and
isPrimaryWorkExperience, and to return/propagate ashouldRecalculateAffiliationsflag sofinishOrganizationMergingonly triggers affiliation recalculation when needed.Reviewed by Cursor Bugbot for commit f3f0b8c. Bugbot is set up for automated code reviews on this repo. Configure here.