fix(organizations): address CodeRabbit review comments

PierreBrisorgueil · PierreBrisorgueil · commit 9b1af95fc0bb · 2026-03-15T09:10:02.000+01:00
- SKILL.md: comment out raw API commands in 6b (source of truth is monitoring.md) - SKILL.md: resolve upstream default branch dynamically instead of hardcoding master - SKILL.md: use explicit base branch for rebase instead of origin/HEAD - Controller: fix JSDoc @returns to Promise<void> for all async handlers - Repository: fix JSDoc @returns to Promise<Object|null> for get() - Repository: throw on missing filter in deleteMany instead of silent undefined - Service: parallelize user org reassignment with Promise.all in remove() - Service: remove redundant userDoc fetch in acceptInvite, reuse existing user - Tests: add non-owner access denial test for pending requests endpoint
diff --git a/.claude/skills/pull-request/SKILL.md b/.claude/skills/pull-request/SKILL.md
@@ -153,13 +153,14 @@ If `no checks reported`, retry up to 5 times (30s apart). If still no checks aft
 
 Grace period: `sleep 180`. If 0 bot comments after 3 min, wait 2 more min.
 
-Read **only unresolved threads** (resolved = ignored). See `references/monitoring.md` for exact commands.
+Read **only unresolved threads** (resolved = ignored). Use `references/monitoring.md` as source of truth.
 
 ```bash
-gh pr view $PR --json reviews,comments
-gh api repos/$OWNER/$REPO/pulls/$PR/comments --paginate | jq 'map({id, user: .user.login, body})'
-gh api repos/$OWNER/$REPO/issues/$PR/comments --paginate | jq 'map({id, user: .user.login, body})'
-# Unresolved threads → see references/monitoring.md
+# Optional context only (do not drive action from these):
+# gh pr view $PR --json reviews,comments
+# gh api repos/$OWNER/$REPO/pulls/$PR/comments --paginate | jq 'map({id, user: .user.login, body})'
+# gh api repos/$OWNER/$REPO/issues/$PR/comments --paginate | jq 'map({id, user: .user.login, body})'
+# Action source of truth: unresolved threads query in references/monitoring.md
 ```
 
 **Actionable** (must fix): change requests, bug reports, missing tests, security issues, code suggestions.
@@ -174,9 +175,11 @@ For each actionable comment, check if the file exists unmodified in upstream:
 
 ```bash
 STACK_REPO=$(git remote get-url devkit-node 2>/dev/null | sed 's|.*github.com[:/]||;s|\.git$||')
-git fetch devkit-node master --quiet 2>/dev/null
+STACK_DEFAULT_BRANCH=$(git remote show devkit-node 2>/dev/null | sed -n '/HEAD branch/s/.*: //p')
+git fetch devkit-node "$STACK_DEFAULT_BRANCH" --quiet 2>/dev/null
 # STACK if exists in upstream AND no local diff; else DOWNSTREAM
-git cat-file -e devkit-node/master:<file-path> 2>/dev/null && git diff --quiet devkit-node/master -- <file-path> 2>/dev/null
+git cat-file -e "devkit-node/$STACK_DEFAULT_BRANCH:<file-path>" 2>/dev/null && \
+  git diff --quiet "devkit-node/$STACK_DEFAULT_BRANCH" -- <file-path> 2>/dev/null
 ```
 
 - **Stack-level** → create issue on stack repo with review comment details, reply with issue link, resolve thread. If `gh issue create` fails, fix locally instead.
@@ -235,7 +238,8 @@ REPEAT:
 ## 8. Conflict resolution
 
 ```bash
-git fetch origin && git rebase origin/HEAD
+BASE_BRANCH=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')
+git fetch origin "$BASE_BRANCH" && git rebase "origin/$BASE_BRANCH"
 # Resolve conflicts, then: git add <files> && git rebase --continue
 git push --force-with-lease origin HEAD
 ```
diff --git a/modules/organizations/controllers/organizations.membershipRequest.controller.js b/modules/organizations/controllers/organizations.membershipRequest.controller.js
@@ -10,7 +10,7 @@ import MembershipService from '../services/organizations.membership.service.js';
  * @description Endpoint to create a pending membership (join request) for an organization.
  * @param {Object} req - Express request object
  * @param {Object} res - Express response object
- * @returns {void}
+ * @returns {Promise<void>}
  */
 const create = async (req, res) => {
   try {
@@ -29,7 +29,7 @@ const create = async (req, res) => {
  * @description Endpoint to list pending join requests for an organization (owner/admin).
  * @param {Object} req - Express request object
  * @param {Object} res - Express response object
- * @returns {void}
+ * @returns {Promise<void>}
  */
 const listPending = async (req, res) => {
   try {
@@ -67,7 +67,7 @@ const approve = async (req, res) => {
  * @description Endpoint to reject a pending membership request.
  * @param {Object} req - Express request object
  * @param {Object} res - Express response object
- * @returns {void}
+ * @returns {Promise<void>}
  */
 const reject = async (req, res) => {
   try {
@@ -83,7 +83,7 @@ const reject = async (req, res) => {
  * @description Endpoint to list the authenticated user's own pending requests.
  * @param {Object} req - Express request object
  * @param {Object} res - Express response object
- * @returns {void}
+ * @returns {Promise<void>}
  */
 const listMine = async (req, res) => {
   try {
@@ -99,7 +99,7 @@ const listMine = async (req, res) => {
  * @description Endpoint to invite a user to an organization by email.
  * @param {Object} req - Express request object
  * @param {Object} res - Express response object
- * @returns {void}
+ * @returns {Promise<void>}
  */
 const invite = async (req, res) => {
   try {
@@ -121,7 +121,7 @@ const invite = async (req, res) => {
  * @description Endpoint to accept an organization invite by token.
  * @param {Object} req - Express request object
  * @param {Object} res - Express response object
- * @returns {void}
+ * @returns {Promise<void>}
  */
 const acceptInvite = async (req, res) => {
   try {
@@ -138,7 +138,7 @@ const acceptInvite = async (req, res) => {
  * @description Endpoint to get invite details by token.
  * @param {Object} req - Express request object
  * @param {Object} res - Express response object
- * @returns {void}
+ * @returns {Promise<void>}
  */
 const getInvite = async (req, res) => {
   try {
@@ -158,7 +158,7 @@ const getInvite = async (req, res) => {
  * @param {Object} res - Express response object
  * @param {Function} next - Express next middleware function
  * @param {String} id - The membership request ID
- * @returns {void}
+ * @returns {Promise<void>}
  */
 const requestByID = async (req, res, next, id) => {
   try {
diff --git a/modules/organizations/repositories/organizations.membership.repository.js b/modules/organizations/repositories/organizations.membership.repository.js
@@ -40,7 +40,7 @@ const create = (membership) => new Membership(membership).save().then((doc) => d
  * @function get
  * @description Data access operation to fetch a single membership by its ID.
  * @param {String} id - The ID of the membership to fetch.
- * @returns {Object|null} The retrieved membership or null if the ID is not valid.
+ * @returns {Promise<Object|null>} The retrieved membership or null if the ID is not valid.
  */
 const get = (id) => {
   if (!mongoose.Types.ObjectId.isValid(id)) return null;
@@ -86,7 +86,8 @@ const count = (filter) => Membership.countDocuments(filter).exec();
  * @returns {Promise<Object>} A confirmation of the deletion.
  */
 const deleteMany = (filter) => {
-  if (filter) return Membership.deleteMany(filter).exec();
+  if (!filter) throw new Error('deleteMany requires a filter');
+  return Membership.deleteMany(filter).exec();
 };
 
 /**
diff --git a/modules/organizations/services/organizations.crud.service.js b/modules/organizations/services/organizations.crud.service.js
@@ -167,13 +167,13 @@ const remove = async (organization) => {
   await MembershipRepository.deleteMany({ organizationId: orgId });
 
   // For each affected user, switch to their next available org or set null
-  for (const u of affectedUsers) {
+  await Promise.all(affectedUsers.map(async (u) => {
     const remaining = await MembershipRepository.list({ userId: u._id, status: 'active' });
     const nextOrg = remaining.length > 0
       ? (remaining[0].organizationId._id || remaining[0].organizationId)
       : null;
     await UserService.updateById(u._id, { currentOrganization: nextOrg });
-  }
+  }));
 
   // Delete all tasks belonging to this organization (Task module may not exist in all projects)
   try {
diff --git a/modules/organizations/services/organizations.membership.service.js b/modules/organizations/services/organizations.membership.service.js
@@ -355,9 +355,8 @@ const acceptInvite = async (token, userId) => {
   membership.inviteToken = null;
   const result = await MembershipRepository.update(membership);
 
-  const userDoc = await UserService.getBrut({ id: String(userId) });
-  if (userDoc && !userDoc.currentOrganization) {
-    await UserService.updateById(userDoc._id, {
+  if (user && !user.currentOrganization) {
+    await UserService.updateById(user._id, {
       currentOrganization: membership.organizationId._id || membership.organizationId,
     });
   }
diff --git a/modules/organizations/tests/organizations.domainJoin.e2e.tests.js b/modules/organizations/tests/organizations.domainJoin.e2e.tests.js
@@ -181,6 +181,20 @@ describe('Organizations domain join E2E tests:', () => {
         expect(err).toBeFalsy();
       }
     });
+
+    test('member cannot list pending requests — returns empty array — 200', async () => {
+      try {
+        const result = await agentMember
+          .get(`/api/organizations/${org._id}/requests`)
+          .expect(200);
+
+        expect(result.body.data).toBeInstanceOf(Array);
+        expect(result.body.data).toHaveLength(0);
+      } catch (err) {
+        console.log(err);
+        expect(err).toBeFalsy();
+      }
+    });
   });
 
   // Mongoose disconnect
