fix: final review — userResponse error handling and org-scoped access

edouard-mangel · claude · edouard-mangel · commit d806ff57e470 · 2026-03-29T10:05:19.000+02:00
- checkGitlabMemberPermissions: throw on non-ok userResponse (previously
  silently swallowed API failures for the username lookup)
- gitlab.one tRPC: relax ownership check to org-scoped only (remove userId
  constraint so all org members can access shared providers, consistent
  with how gitlabProviders filters results)
- Add test: userResponse 503 throws with clear error message

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/dokploy/__test__/utils/gitlab-preview-utils.test.ts b/apps/dokploy/__test__/utils/gitlab-preview-utils.test.ts
@@ -140,6 +140,21 @@ describe("checkGitlabMemberPermissions", () => {
 		expect(result).toEqual({ hasWriteAccess: false, accessLevel: null });
 	});
 
+	it("throws when the user lookup API call fails (non-ok response)", async () => {
+		vi.stubGlobal(
+			"fetch",
+			vi.fn().mockResolvedValueOnce({
+				ok: false,
+				status: 503,
+				statusText: "Service Unavailable",
+			}),
+		);
+
+		await expect(
+			checkGitlabMemberPermissions(FAKE_GITLAB_ID, 123, "anyuser"),
+		).rejects.toThrow("Failed to resolve GitLab user");
+	});
+
 	it("returns hasWriteAccess=false when the username lookup returns no users", async () => {
 		// GitLab /users?username=ghost returns [] when user does not exist
 		vi.stubGlobal(
diff --git a/apps/dokploy/server/api/routers/gitlab.ts b/apps/dokploy/server/api/routers/gitlab.ts
@@ -55,9 +55,7 @@ export const gitlabRouter = createTRPCRouter({
 		.query(async ({ input, ctx }) => {
 			const result = await findGitlabById(input.gitlabId);
 			if (
-				result.gitProvider.organizationId !==
-					ctx.session.activeOrganizationId ||
-				result.gitProvider.userId !== ctx.session.userId
+				result.gitProvider.organizationId !== ctx.session.activeOrganizationId
 			) {
 				throw new TRPCError({ code: "FORBIDDEN", message: "Access denied" });
 			}
diff --git a/packages/server/src/utils/providers/gitlab.ts b/packages/server/src/utils/providers/gitlab.ts
@@ -275,6 +275,13 @@ export const checkGitlabMemberPermissions = async (
 		`${baseUrl}/api/v4/users?username=${encodeURIComponent(username)}`,
 		{ headers: { Authorization: `Bearer ${gitlabProvider.accessToken}` } },
 	);
+
+	if (!userResponse.ok) {
+		throw new Error(
+			`Failed to resolve GitLab user: ${userResponse.statusText}`,
+		);
+	}
+
 	const users = await userResponse.json();
 	const userId = users[0]?.id;
 
