fix: scope eligible residents query to class facility (ID-686)

[corypride]

Fix

Made the backend authoritative: changed the WHERE clause in GetEligibleResidentsForClass to filter on c.facility_id (the class's own facility via the already-joined program_classes table) instead of args.FacilityID.

This holds regardless of caller role or what facility_id is passed in the request.

Files Changed

backend/src/database/users.go

• One-line filter change in GetEligibleResidentsForClass

backend/tests/integration/class_enrollments_test.go

• Added TestEligibleResidentsFilteredByClassFacility covering:
  • Only unenrolled facility-A students are returned
  • Already-enrolled residents are excluded
  • Deactivated residents are excluded
  • Facility-B residents are excluded even when a department admin passes facility_id=B

Not Changed

frontend/src/pages/class-detail/EnrollResidentsModal.tsx

• Already passes facility_id=${classFacilityId}
• Kept as-is, but it is no longer the security boundary

getQueryContext facility logic

• Other endpoints depend on it
• Left unchanged

Testing

Integration Test

• Verifies facility isolation is enforced independently of the request's facility_id

Manual Verification

1. Log in as a department admin
2. Open a class assigned to facility A
3. Click Add Resident
4. Verify that only facility-A residents are shown

---

• To see the specific tasks where the Asana app for GitHub is being used, see below:
  • https://app.asana.com/0/0/1215131303729115

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 604e768b-3874-46f1-86bc-fcabd2e74e6e

📥 Commits

Reviewing files that changed from the base of the PR and between 5f9c489 and d06c336.

📒 Files selected for processing (2)

• backend/src/database/users.go
• backend/tests/integration/class_enrollments_test.go

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes

  • Fixed resident eligibility filtering for classes to correctly associate students with their assigned facility, ensuring only residents from the appropriate facility are shown as eligible for enrollment.

• Tests

  • Added integration test to verify proper facility-based filtering of eligible unenrolled residents.

Walkthrough

The PR modifies how the eligible residents query determines facility scope in GetEligibleResidentsForClass. Rather than filtering by the request's facility context, residents are now filtered by the class's facility via a database join, then validated with a multi-facility integration test.

Changes

Class-based facility filtering

Layer / File(s)	Summary
Class facility filter implementation and test backend/src/database/users.go, backend/tests/integration/class_enrollments_test.go	GetEligibleResidentsForClass now filters eligible residents by the class's facility (users.facility_id = c.facility_id) instead of the request facility (args.FacilityID). A new integration test validates this behavior by requesting unenrolled residents for a facility-A class while supplying a facility-B context, asserting only active, unenrolled, facility-A residents are returned.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: scoping the eligible residents query to the class facility instead of the request context facility.
Description check	✅ Passed	The description is directly related to the changeset, explaining the backend fix and providing context about the facility scoping change with appropriate test coverage.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[carddev81]

Tested Good and code looks great