feat(web): add GET /api/ee/user endpoint for owner user info#940
Merged
feat(web): add GET /api/ee/user endpoint for owner user info#940
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This comment has been minimized.
This comment has been minimized.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: Organization UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAdds a new GET /api/ee/user endpoint returning an authenticated owner's user info (name, email, createdAt, updatedAt). Introduces an "org-management" entitlement and enforces it in GET /api/ee/users and the new GET /api/ee/user handlers, returning 403 when missing. Changes
Sequence Diagram(s)sequenceDiagram
actor Client
participant API as "GET /api/ee/user"
participant Auth as "withAuthV2"
participant AuthZ as "withMinimumOrgRole (OWNER)"
participant Service as "User Service"
participant DB as "Database"
Client->>API: GET /api/ee/user?userId=...
API->>Auth: authenticate request
Auth-->>API: authenticated identity
API->>AuthZ: verify OWNER role & org-management entitlement
AuthZ-->>API: authorization granted / denied
alt authorized
API->>Service: fetch user by id (name,email,createdAt,updatedAt)
Service->>DB: query user
DB-->>Service: record / null
Service-->>API: user data / null
alt user found
API-->>Client: 200 OK + user info
else not found
API-->>Client: 404 Not Found
end
else forbidden
API-->>Client: 403 Forbidden (service error)
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
packages/web/src/app/api/(server)/ee/user/route.ts (1)
49-49:StatusCodes.OKis the default forResponse.json— consider omitting.- return Response.json(result, { status: StatusCodes.OK }); + return Response.json(result);(The DELETE handler does the same at line 127 so keeping it for consistency is also a reasonable choice.)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@packages/web/src/app/api/`(server)/ee/user/route.ts at line 49, The Response.json calls currently pass an explicit status using StatusCodes.OK which is unnecessary because Response.json defaults to 200; remove the redundant status option and return Response.json(result) instead where Response.json(result, { status: StatusCodes.OK }) is used (also update the matching DELETE handler that does the same) so the code uses the default status and stays concise.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/web/src/app/api/`(server)/ee/user/route.ts:
- Around line 17-50: The GET handler currently returns user data without
creating an audit record; inside the withAuthV2 -> withMinimumOrgRole block (the
GET handler function), after successfully fetching userData (i.e., where
prisma.user.findUnique returns a result and before returning it), call
auditService.createAudit(...) to record the read action (use a consistent action
string like "user.view" or "user.get"), include relevant context such as org.id,
the acting user.id, and the target user id (user.id or the fetched user's id),
and only create the audit on successful retrieval (not on notFound or thrown
errors) so the handler mirrors the existing audit pattern used by the user.list
and user.delete handlers.
---
Nitpick comments:
In `@packages/web/src/app/api/`(server)/ee/user/route.ts:
- Line 49: The Response.json calls currently pass an explicit status using
StatusCodes.OK which is unnecessary because Response.json defaults to 200;
remove the redundant status option and return Response.json(result) instead
where Response.json(result, { status: StatusCodes.OK }) is used (also update the
matching DELETE handler that does the same) so the code uses the default status
and stays concise.
Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>
Look up the specified user by ID instead of returning the authenticated user's own info. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds a new "org-management" entitlement to both enterprise plan tiers and gates the GET /api/ee/user and GET /api/ee/users endpoints behind it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/web/src/app/api/`(server)/ee/user/route.ts:
- Around line 26-50: Both GET and DELETE handlers call withAuthV2 and
withMinimumOrgRole but use prisma.user.findUnique / prisma.user.delete directly
(these are not scoped by userScopedPrismaClientExtension), allowing OWNERs to
access or delete users across orgs; update both handlers to first verify org
membership via prisma.userToOrg (e.g., prisma.userToOrg.findFirst or findMany
with where: { userId, orgId: org.id }) and return notFound or a
forbidden/service error if no membership exists, then only call
prisma.user.findUnique or prisma.user.delete once membership is confirmed; keep
existing functions withAuthV2 and withMinimumOrgRole but add the explicit
org-membership check using the userToOrg relation before performing user
queries/deletes.
ℹ️ Review info
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
packages/shared/src/entitlements.tspackages/web/src/app/api/(server)/ee/user/route.tspackages/web/src/app/api/(server)/ee/users/route.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GET /api/ee/userendpoint that returns the authenticated user'sname,email,createdAt, andupdatedAtwithMinimumOrgRole(role, OrgRole.OWNER)DELETEhandler) and sibling/ee/usersrouteTest plan
GET /api/ee/useras an owner and verify it returns{ name, email, createdAt, updatedAt }GET /api/ee/useras a non-owner member and verify it returns a 403 forbidden responseGET /api/ee/userwithout authentication and verify it returns a 401 response🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Documentation