Skip to content

fix: resolve CodeRabbit PR #328 review findings#331

Merged
parth0025 merged 2 commits into
stagingfrom
fix/dashboard-caller-scope-v14.8.0
Jul 3, 2026
Merged

fix: resolve CodeRabbit PR #328 review findings#331
parth0025 merged 2 commits into
stagingfrom
fix/dashboard-caller-scope-v14.8.0

Conversation

@parth0025

Copy link
Copy Markdown
Collaborator

Summary

Fixes the actionable findings CodeRabbit raised on the promotion PR #328. Merge this into staging first, then re-sync #328 so the promotion carries the fixes — the security items should land before staging→main.

Fixed

  • 🔴 Critical (Security) — forgeable role/user. The dashboard endpoints scoped data visibility from client-supplied callerRoleType/callerUserId, so a non-admin could POST callerRoleType: 1 and read every user's workload/time data. Now the caller is derived from the authenticated session (req.uid) and the role is resolved server-side from company_users (fail-closed to the most-restricted role). Applied to employee-workload, team-tasktype-breakdown, team-logged-vs-eta, project-metrics, and on-leave.
  • 🟠 Stale Vuex getter (reactivity)FreeResourcesCard + TeamCategoryBreakdownCard now read settings/teams fresh inside load() instead of capturing it once at setup.
  • 🟡 FreeResourcesCard — an explicit freeThresholdHours: 0 is now honored (was falsy-coerced to the default 3).
  • 🔒 Mail transport (Security)service.js now validates TLS certificates by default across all three mail paths; self-signed requires an explicit NODEMAILER_ALLOW_SELF_SIGNED=true opt-in (was a hardcoded rejectUnauthorized:false → MITM exposure). Also returns err.message (not the raw Error, which serialized to {}) and fixes an error.messge typo.
  • 📝 Corrected the boot-integrity expected card count in the AHE-3789 test case (24 → 31, the actual count).

Deferred (needs a decision — not a blocker)

  • Week-range consistency (ProjectResourceCard vs ProjectPulseCard) — Sunday-based vs Monday-based windows for the same filter. Unifying requires deciding the canonical week start and touches the broadly-used getTimeRange / resolveIsoRange helpers, so it warrants cross-card testing rather than a rushed change inside a release promotion.
  • LiveWorkCard cardData/filters — CodeRabbit noted this was already addressed by later commits on chore: promote staging to main #328.

Verification

  • node --check on controller.js + service.js; eslint clean on the touched Vue components.

🤖 Generated with Claude Code

parth0025 and others added 2 commits July 3, 2026 18:12
- SECURITY (critical): dashboard endpoints scoped data visibility from
  client-supplied callerRoleType/callerUserId — a forged callerRoleType 1/2
  could read every user's workload/time data. Now derive the caller from the
  authenticated session (req.uid) and resolve roleType server-side from
  company_users; body values are ignored. Applied to employee-workload,
  team-tasktype-breakdown, team-logged-vs-eta, project-metrics, on-leave.
- FreeResourcesCard/TeamCategoryBreakdownCard: read settings/teams fresh in
  load() instead of capturing the getter once at setup (went stale on late
  store load).
- FreeResourcesCard: treat an explicit freeThresholdHours 0 as valid (was
  falsy-coerced to the default 3).
- docs: correct the boot-integrity expected card count (24 -> 31).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…328)

- Security: TLS certificate validation is now ON by default across all three
  mail paths; self-signed certs require an explicit NODEMAILER_ALLOW_SELF_SIGNED
  opt-in (was a hardcoded rejectUnauthorized:false → MITM exposure).
- Return err.message instead of the raw Error object (which serialized to {})
  in the send callbacks, so the failure reason reaches the caller.
- Fix the error.messge typo that logged undefined.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6d9b13c6-506b-42fc-bdc7-6364dcb8a29a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dashboard-caller-scope-v14.8.0

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@parth0025 parth0025 merged commit 00b5622 into staging Jul 3, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant