fix: include pending-invite users in IAM user list

Ronald A Richardson · Ronald A Richardson · commit 0d4320ce17ab · 2026-04-21T01:18:00.000-04:00
The UserFilter::queryForInternal() was scoped exclusively to users with
a CompanyUser row for the current company. Newly invited users have no
CompanyUser record until they accept their invite, so they were invisible
in the IAM list.

The fix adds an orWhereExists() subquery that also matches users whose
email address appears in the recipients JSON column of a non-deleted
join_company invite for the current company. This covers both the
brand-new pending user path and the cross-org invite path.

JSON_CONTAINS(invites.recipients, JSON_QUOTE(users.email)) is used
instead of whereHas() because the invites table has no user_uuid column;
the user is identified solely by their email in the recipients array.
diff --git a/src/Http/Filter/UserFilter.php b/src/Http/Filter/UserFilter.php
@@ -6,15 +6,29 @@ class UserFilter extends Filter
 {
     public function queryForInternal()
     {
+        $companyUuid = $this->session->get('company');
+
         $this->builder->where(
-            function ($query) {
-                $query
-                    ->whereHas(
-                        'companyUsers',
-                        function ($query) {
-                            $query->where('company_uuid', $this->session->get('company'));
-                        }
-                    );
+            function ($query) use ($companyUuid) {
+                // Include users who are already members of the company.
+                $query->whereHas(
+                    'companyUsers',
+                    function ($q) use ($companyUuid) {
+                        $q->where('company_uuid', $companyUuid);
+                    }
+                )
+                // Also include users who have a pending invite to join the company
+                // but have not yet accepted (no CompanyUser row exists yet).
+                // The invites table has no user_uuid; the link is via the user's
+                // email stored in the JSON recipients column.
+                ->orWhereExists(function ($q) use ($companyUuid) {
+                    $q->selectRaw(1)
+                      ->from('invites')
+                      ->whereRaw('JSON_CONTAINS(invites.recipients, JSON_QUOTE(users.email))')
+                      ->where('invites.company_uuid', $companyUuid)
+                      ->where('invites.reason', 'join_company')
+                      ->whereNull('invites.deleted_at');
+                });
             }
         );
     }
