You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PR allows machine identities to query the list of org members
Screenshots
Steps to verify the change
Type
Fix
Feature
Improvement
Breaking
Docs
Chore
Checklist
Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
Removed the if (req.auth.actor !== ActorType.USER) return; early-exit check from the organization members list endpoint (/:organizationId/memberships) to allow machine identities to query organization members. Refactored the findAllOrgMembers service function signature from positional parameters to an object-based parameter using the TFindAllOrgMembersDTO type (which extends TOrgPermission), making it consistent with similar endpoints like findAllWorkspaces.
Key changes:
Router now passes req.permission.type as the actor field instead of hardcoding ActorType.USER
Permission checks in the service layer properly validate that the requesting identity has OrgPermissionActions.Read permission for OrgPermissionSubjects.Member
The endpoint already had AuthMode.IDENTITY_ACCESS_TOKEN in its auth modes but was blocked at the handler level
Analysis:
The permission system properly restricts access - machine identities must have the appropriate Read permission on the Member subject to access this endpoint. This is consistent with the pattern used in the /:organizationId/workspaces endpoint which already allows identities. The data returned includes user information (emails, names, roles) which may be sensitive, but access is properly gated by the RBAC permission system.
Confidence Score: 4/5
This PR is safe to merge with low risk, assuming proper identity permission configuration
The change properly extends identity access to the org members list endpoint while maintaining existing permission checks. The permission validation (OrgPermissionActions.Read on OrgPermissionSubjects.Member) ensures only authorized identities can access member data. The pattern is consistent with the workspaces endpoint. Minor concern: organization member data (emails, names, roles) is potentially sensitive, so teams should ensure machine identities are granted appropriate minimal permissions.
No files require special attention - the changes are straightforward and properly validated
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
This PR allows machine identities to query the list of org members
Screenshots
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).