Skip to content

fix(progresses): enforce discord membership for progress updates #2517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
iamitprakash merged 2 commits into from
Dec 11, 2025
Merged

fix(progresses): enforce discord membership for progress updates #2517

iamitprakash merged 2 commits into from
Dec 11, 2025

Conversation

@Achintya-Chatterjee
Copy link
Contributor

@Achintya-Chatterjee Achintya-Chatterjee commented Dec 11, 2025
edited
Loading

Date: December 11, 2025

Developer Name: @Achintya-Chatterjee

Issue Ticket Number

Description

  • reject POST /progresses when roles.archived is true or roles.in_discord is not true
  • centralise the Discord-member test fixture helper and re-use it across progress integration suites
  • add regression test proving non-Discord users receive UNAUTHORIZED_WRITE

Documentation Updated?

  • Yes
  • No

Under Feature Flag

  • Yes
  • No

Database Changes

  • Yes
  • No

Breaking Changes

  • Yes
  • No

Development Tested?

  • Yes
  • No

Screenshots

Screenshot 1
Screen.Recording.2025-12-11.at.21.26.24.mp4

Test Coverage

Screenshot 1 Screenshot 2025-12-11 at 21 30 56 Screenshot 2025-12-11 at 22 37 57

Additional Notes

@Achintya-Chatterjee
fix(progresses): enforce discord membership for progress updates
f5fe2dc 
- block POST /progresses when the requester is archived or lacks in_discord role
- adjust test fixtures to model active members and add a regression test rejecting non-discord users
@Achintya-Chatterjee Achintya-Chatterjee self-assigned this Dec 11, 2025
@Achintya-Chatterjee Achintya-Chatterjee added bug Something isn't working bug-fix Fixing a bug backend labels Dec 11, 2025
@coderabbitai
Copy link

coderabbitai bot commented Dec 11, 2025
edited
Loading

Walkthrough

Authorization logic in createProgress endpoint strengthened to require non-archived status and Discord membership using optional chaining. Corresponding test files updated with a reusable withDiscordMembership helper to ensure test users meet the new authorization requirements.

Changes

Cohort / File(s) Summary
Authorization logic updates
controllers/progresses.js		 Modified createProgress authorization to use optional chaining on req.userData.roles and forbid requests when archived is true or in_discord is not true, making checks stricter and null-safe.
Test setup and fixtures
test/integration/progressesTasks.test.js, test/integration/progressesUsers.test.js		 Introduced withDiscordMembership(user) helper function across both test files to augment user objects with archived: false and in_discord: true. Updated multiple test setup blocks to wrap user creation with this helper. Added new test case in progressesUsers.test.js validating 403 response when user is not in Discord.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Authorization logic change: Review the optional chaining implementation and new conditional guard in createProgress to ensure it correctly forbids unauthorized requests without unintended side effects.
  • Test coverage alignment: Verify that the helper function is applied consistently across all test fixtures and that the new test case properly validates the 403 scenario for non-Discord users.

Possibly related PRs

Suggested reviewers

  • AnujChhikara

Poem

🐰 With optional chains we safely check,
Discord membership kept in deck,
Archived flags are turned away,
Authorization tight each day!
Tests aligned, the logic gleams—
Stronger controls in all our schemes!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: enforcing Discord membership requirements for progress updates in the POST /progresses endpoint.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check ✅ Passed The pull request description clearly outlines the changes: enforcing Discord membership checks for the POST /progresses endpoint, centralizing test fixtures with a helper function, and adding regression tests.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/task-progress-API

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 11, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b81a17 and f5fe2dc.

📒 Files selected for processing (3)
  • controllers/progresses.js (1 hunks)
  • test/integration/progressesTasks.test.js (6 hunks)
  • test/integration/progressesUsers.test.js (7 hunks)
🧰 Additional context used
🧬 Code graph analysis (1)
test/integration/progressesUsers.test.js (2)
controllers/progresses.js (3)
  • require (1-1)
  • require (3-9)
  • require (10-10)
test/integration/progressesTasks.test.js (3)
  • require (11-15)
  • require (19-19)
  • withDiscordMembership (23-26)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: build (22.10.0)
  • GitHub Check: Analyze (javascript)
🔇 Additional comments (6)
controllers/progresses.js (1)

49-51: Authorization logic correctly enforces Discord membership.

The check appropriately uses optional chaining on req.userData.roles and strictly validates both archived status and Discord membership. This prevents archived users and non-Discord members from creating progress updates.

Note: This assumes req.userData is always defined at this point (typically guaranteed by authentication middleware). If there's any path where req.userData could be undefined, consider adding optional chaining: req.userData?.roles?.archived.

test/integration/progressesUsers.test.js (3)

45-48: Good: Test fixtures updated to reflect Discord membership requirement.

Wrapping user fixtures with withDiscordMembership ensures tests reflect the new authorization requirements while maintaining existing test behavior.

166-184: Excellent regression test for non-Discord users.

The test correctly validates that users without Discord membership receive a 403 response. The unique username and github_id generation prevents fixture collisions.

193-195: Consistent test data setup across all test suites.

All test users are now properly configured with Discord membership, ensuring tests accurately reflect the production authorization requirements.

Also applies to: 298-299, 370-371, 453-454

test/integration/progressesTasks.test.js (2)

49-51: Good: Intentional omission of Discord membership for archived user test.

Line 50 correctly creates archivedUserId without withDiscordMembership, allowing the test at lines 178-192 to validate that archived or non-Discord users are properly blocked. This provides coverage for the archived status check in the authorization logic.

204-205: Consistent test fixture updates for Discord membership.

All test users in GET endpoint tests are now properly configured with Discord membership, aligning with the updated authorization requirements.

Also applies to: 401-401, 477-477, 564-564

@Achintya-Chatterjee
fix(progresses): restrict updates to active discord members
2d9ec27 
- reject POST /progresses when roles.archived is true or roles.in_discord is not true
- centralize Discord-member test fixture helper and re-use it across progress integration suites
- add regression test proving non-Discord users receive UNAUTHORIZED_WRITE
@iamitprakash iamitprakash merged commit 8c1d2a6 into develop Dec 11, 2025
6 of 7 checks passed
@iamitprakash iamitprakash deleted the fix/task-progress-API branch December 11, 2025 18:22
@Achintya-Chatterjee Achintya-Chatterjee mentioned this pull request Dec 11, 2025
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@iamitprakash iamitprakash iamitprakash approved these changes

@ankushdharkar ankushdharkar Awaiting requested review from ankushdharkar

@prakashchoudhary07 prakashchoudhary07 Awaiting requested review from prakashchoudhary07

@yesyash yesyash Awaiting requested review from yesyash

Assignees

@Achintya-Chatterjee Achintya-Chatterjee

Labels

backend bug Something isn't working bug-fix Fixing a bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: Restrict /progresses POST endpoint to Discord members

3 participants

@Achintya-Chatterjee @iamitprakash