Sb direct reports#130
Conversation
There was a problem hiding this comment.
Pull request overview
Adds support for displaying a separated employee’s current direct reports on the separation detail page (Issue #127) by allowing direct-report lookup for an arbitrary IAM ID (instead of only the current user).
Changes:
- Extend
EmployeeService.getDirectReports/EmployeeModel.getDirectReportsto accept an optionaliamId. - Add a “Current Direct Reports” panel to the separation single page and fetch direct reports for the separation request’s
iamId. - Update
/api/employees/direct-reportsto optionally acceptiamIdvia query string.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| services/lib/cork/services/EmployeeService.js | Adds optional iamId support to direct reports fetch (but currently needs cache-key fix). |
| services/lib/cork/models/EmployeeModel.js | Plumbs optional iamId parameter through to the service and updates JSDoc (currently inaccurate). |
| services/app/client/src/elements/pages/ucdlib-iam-page-separation-single.tpl.js | Adds “Current Direct Reports” panel (currently has mismatched closing tag and overly broad hide condition). |
| services/app/client/src/elements/pages/ucdlib-iam-page-separation-single.js | Fetches direct reports for separated employee (currently skips too broadly based on removedFromSystems). |
| services/app/api/employees.js | Accepts optional iamId query param (currently needs authorization guard when requesting other users). |
Comments suppressed due to low confidence (1)
services/lib/cork/services/EmployeeService.js:20
getDirectReportsnow accepts aniamId, but the store cache key is still a constant ('directReports'). If this method is called for differentiamIdvalues (e.g. separation page vs permissions page), the results will overwrite each other and callers can receive another employee’s cached direct reports.
async getDirectReports(iamId=''){
const store = this.store.data.directReports;
const id = 'directReports';
await this.checkRequesting(
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }); | ||
| } | ||
|
|
||
| const iamId = queryIamId || tokenIamId; |
There was a problem hiding this comment.
Copilot was right in its assessment that this is a security hole. If a user passes up an iamId, you have to check they have the correct privs to be able to do this.
| () => this.request({ | ||
| url : `${this.baseUrl}/direct-reports`, | ||
| qs: { iamId }, | ||
| checkCached : () => store.get(id), |
There was a problem hiding this comment.
bug here. as you have it here, your checkCached function will always only return the response to the first call, regardless of the queried user.
issue #127