fix: create org membership when creating a user (#100)#105
Open
christianromeni wants to merge 2 commits into
Open
fix: create org membership when creating a user (#100)#105christianromeni wants to merge 2 commits into
christianromeni wants to merge 2 commits into
Conversation
Users created via the system-users page were inserted with no org_membership row. On login, ResolveUserRole returned an empty org for system admins, so CreateAPIKey hit a FOREIGN KEY violation on api_keys.org_id and login failed with a 500; plain members got a 401. Every user now always belongs to an organization. CreateUser requires org_id and creates the user and membership atomically in one transaction (CreateUserWithMembership). org_admin callers may only target their own org and may not assign the org_admin role - only system admins can. User creation now writes an audit event. A defensive login guard turns the legacy empty-org case into a generic 401 (logged server-side) instead of a 500, so pre-existing org-less users from the old bug fail cleanly. The create-user dialog gains a required organization selector. Fixes #100
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
bcrypt rejects inputs longer than 72 bytes with ErrPasswordTooLong, so CreateUser/UpdateUser would 500 on a valid-looking long password. Cap at 72 bytes and map ErrPasswordTooLong to 400 defensively.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #100
Problem
A user created via the system-users page was inserted with no
org_membershiprow. On login,ResolveUserRolereturned an empty org for a system admin, soCreateAPIKeyhit aFOREIGN KEY constraint failedonapi_keys.org_idand login failed with a 500 (auth.go:159in the report). A plain member got a 401 "no organization membership". Either way the new user could never log in.Fix
Invariant: every user always belongs to an organization.
CreateUsernow requiresorg_idand creates the user + membership atomically in one transaction (CreateUserWithMembership). A FK violation on a non-existent org rolls back the user insert and returns 400.org_adminrole - only system admins can (mirrors the existingis_system_admingate).user_created, metadata only - never the password).Existing data
Users created org-less by the old bug cannot log in (clean 401). Assign them to an org via Organizations → Members; no automatic migration since the target org is ambiguous.
Tests
CreateUserWithMembershiphappy path, FK rollback (no orphan user), role stored, duplicate email.go test -race ./internal/db/ ./internal/api/admin/andtsc --noEmitclean.