Conversation
fix(device-agent): unbrick stuck installs (auto-update + legacy session)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
#2690) * fix(sync): validate employee.role against known roles before persisting The generic employee sync service wrote employee.role straight into member.role with no validation. A misconfigured DSL (notably the Microsoft sync, which mapped Entra Graph's jobTitle into role) could plant strings like "Senior Front End Engineer" in member.role with no matching organization_role row. The Roles page correctly showed nothing for these "limbo" roles, but the People list rendered them as Badges (getRoleLabel falls back to title-case for unknown roles), and any RBAC check against them silently denied permissions because the value matched neither a built-in role nor a custom role. Sanitize employee.role before insert: each comma-separated token must be either a built-in role (BUILT_IN_ROLE_PERMISSIONS) or an existing organization_role.name in the same org. Unknown tokens are dropped; if every token is invalid (or role is empty), fall back to defaultRole. Log a warning when this happens so a misconfigured DSL is visible in sync logs instead of silently corrupting data. Note: this is a forward fix only. Customers with already-polluted member.role values need a one-time data scrub plus a fix to their DynamicIntegration.syncDefinition JSON in the database (separate operations on the DB side, not in this PR). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(sync): self-heal existing members' limbo roles on re-sync The previous commit guarded *new* member creation against unknown role strings. This extends the same sanitizer to *existing* members the sync re-encounters, so customers who already have polluted member.role values get cleaned up automatically the next time they import — no manual DB scrub required. The heal is conservative: it only ever shrinks the role string (drops unknown tokens, falls back to defaultRole if every token is invalid). It never overwrites a member's currently-valid role with whatever the provider sent, so a manually-assigned admin won't get downgraded by a DSL still mis-mapping jobTitle. Both the "already a member" and the "reactivate" paths heal. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
🎉 This PR is included in version 3.34.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Fixes device-agent installs getting stuck by redirecting binary updates to presigned S3 URLs and adding a legacy session alias. Also hardens employee sync by validating roles and auto-healing bad role values.
.zip,.exe,.dmg,.AppImage,.blockmap); streams.ymlmanifests with cache.HeadObjectfor binary checks; returns metadata for manifests; forcesCache-Control: no-storeon redirects.redirect: 'manual'and forwards 3xx so clients download from S3 directly (avoids function timeouts)./api/auth/get-sessionalias in the portal that proxies to the API and preservesSet-Cookie.NoSuchKeyto 404; adds unit tests for controller/service.employee.roleagainst built-in and org roles; drops unknown tokens and falls back todefaultRole; self-heals existing members on re-sync/reactivation; adds tests.Written for commit 382f619. Summary will update on new commits. Review in cubic