Skip to content

fix: Remove hosts - verify event type belongs to event type #25321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 21, 2025
Merged

fix: Remove hosts - verify event type belongs to event type #25321

merged 5 commits into from
Nov 21, 2025
+375 −1

Conversation

@joeauyeung
Copy link
Contributor

@joeauyeung joeauyeung commented Nov 21, 2025
edited by cubic-dev-ai bot
Loading

What does this PR do?

  • When removing hosts from an event type, validate that the passed eventTypeId and userIds belong to the team

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

  • Are there environment variables that should be set?
  • What are the minimal test data to have?
  • What is expected (happy path) to have (input and output)?
  • Any other important info that could help to test that PR

Checklist

  • I haven't read the contributing guide
  • My code doesn't follow the style guidelines of this project
  • I haven't commented my code, particularly in hard-to-understand areas
  • I haven't checked if my changes generate no new warnings

Summary by cubic

Restrict host removal to team-owned event types and users in the team. Adds a teamId check and filters userIds to accepted members to prevent cross-team changes.

Written for commit 16f3ebd. Summary will update automatically on new commits.

@graphite-app graphite-app bot requested a review from a team November 21, 2025 14:37
@keithwillcode keithwillcode added core area: core, team members only enterprise area: enterprise, audit log, organisation, SAML, SSO labels Nov 21, 2025
@vercel
Copy link

vercel bot commented Nov 21, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Preview Comments Updated (UTC)
cal Ignored Ignored Nov 21, 2025 2:44pm
cal-eu Ignored Ignored Nov 21, 2025 2:44pm

keithwillcode
keithwillcode requested changes Nov 21, 2025
View reviewed changes
@github-actions github-actions bot marked this pull request as draft November 21, 2025 14:42
@joeauyeung joeauyeung marked this pull request as ready for review November 21, 2025 15:05
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Nov 21, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Prompt for AI agents (all 1 issues) 

Understand the root cause of the following 1 issues and fix them.


<file name="packages/features/membership/repositories/MembershipRepository.ts">

<violation number="1" location="packages/features/membership/repositories/MembershipRepository.ts:144">
Limit this query to the fields actually consumed (e.g., userId) instead of returning full membership rows; otherwise Prisma fetches unnecessary, potentially sensitive columns.</violation>
</file>

Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR

packages/features/membership/repositories/MembershipRepository.ts
userIds: number[];
teamId: number;
}) {
return prisma.membership.findMany({
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Nov 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Limit this query to the fields actually consumed (e.g., userId) instead of returning full membership rows; otherwise Prisma fetches unnecessary, potentially sensitive columns.

Prompt for AI agents 
Address the following comment on packages/features/membership/repositories/MembershipRepository.ts at line 144:

<comment>Limit this query to the fields actually consumed (e.g., userId) instead of returning full membership rows; otherwise Prisma fetches unnecessary, potentially sensitive columns.</comment>

<file context>
@@ -134,6 +134,22 @@ export class MembershipRepository {
+    userIds: number[];
+    teamId: number;
+  }) {
+    return prisma.membership.findMany({
+      where: {
+        userId: { in: userIds },
</file context>
Fix with Cubic

@github-actions
Copy link
Contributor

github-actions bot commented Nov 21, 2025

E2E results are ready!

@joeauyeung joeauyeung merged commit dd7c553 into main Nov 21, 2025
42 checks passed
@joeauyeung joeauyeung deleted the remove-host-verify-ownership branch November 21, 2025 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@keithwillcode keithwillcode keithwillcode approved these changes

Assignees

No one assigned

Labels

core area: core, team members only enterprise area: enterprise, audit log, organisation, SAML, SSO ready-for-e2e size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joeauyeung @keithwillcode