Code Review Bench PR #26644 - feat: api v2 team invite link endpoint#6
Code Review Bench PR #26644 - feat: api v2 team invite link endpoint#6ketkarameya wants to merge 2 commits intobase_pr_26644_20260125_2973from
Conversation
![gitar-bot-staging[bot]](https://avatars.githubusercontent.com/in/812680?s=60&v=4){kind=small}
| @ApiHeader(API_KEY_HEADER) | ||
| export class TeamsInviteController { | ||
| @Post("/invite") | ||
| @Roles("TEAM_MEMBER") |
There was a problem hiding this comment.
🚨 Bug: Role guard uses TEAM_MEMBER instead of TEAM_ADMIN
The controller uses @Roles("TEAM_MEMBER") which is the lowest role level in the hierarchy (TEAM_ROLES = [TEAM_OWNER, TEAM_ADMIN, TEAM_MEMBER]). The hasMinimumRole function in roles.guard.ts checks checkedRoleIndex <= requiredRoleIndex, meaning TEAM_MEMBER at index 2 allows any team member (OWNER, ADMIN, or MEMBER) to access this endpoint.
However, the intent (per PR description) is to restrict invite link creation to team administrators only. The E2E test also explicitly verifies that a non-admin MEMBER receives a 403 Forbidden response, which will fail with the current TEAM_MEMBER role since it permits all members.
This should be @Roles("TEAM_ADMIN") to match the intended authorization requirement and pass the E2E tests.
Was this helpful? React with 👍 / 👎
| @Roles("TEAM_MEMBER") | |
| @Roles("TEAM_ADMIN") |
- Apply suggested fix
|
|
||
| return { | ||
| token, | ||
| token: newToken.identifier, |
There was a problem hiding this comment.
🚨 Bug: Token field returns identifier string instead of actual token
At line 99, the returned token field is set to newToken.identifier, which is the descriptive string "invite-link-for-teamId-{teamId}" — not the actual cryptographic token. Meanwhile, buildInviteLink on line 100 correctly uses the token variable (the random hex string) to construct the URL.
This causes two problems:
- API response contains wrong value: Consumers receive
"invite-link-for-teamId-123"as the token instead of the actual crypto hex token. - E2E test will fail: The test asserts
expect(response.body.data.inviteLink).toContain(response.body.data.token)— the identifier string won't appear in the invite URL, so this assertion fails.
The fix should return the actual token (the random hex), or equivalently newToken.token, since that's what is embedded in the invite link URL.
Was this helpful? React with 👍 / 👎
| token: newToken.identifier, | |
| token: newToken.token, |
- Apply suggested fix
There was a problem hiding this comment.
Configure merge blocking · Maintainers can dismiss this review. Gitar never approves changes.
Code Review 🚫 Blocked 0 resolved / 3 findingsTwo critical bugs: the 🚨 Bug: Role guard uses TEAM_MEMBER instead of TEAM_ADMIN📄 apps/api/v2/src/modules/teams/invite/controllers/teams-invite.controller.ts:32 The controller uses However, the intent (per PR description) is to restrict invite link creation to team administrators only. The E2E test also explicitly verifies that a non-admin MEMBER receives a 403 Forbidden response, which will fail with the current This should be Suggested fix🚨 Bug: Token field returns identifier string instead of actual token📄 packages/features/ee/teams/services/teamService.ts:99 At line 99, the returned This causes two problems:
The fix should return the actual Suggested fix💡 Quality: Unused
|
| Auto-apply | Compact |
|
|
Was this helpful? React with 👍 / 👎 | Gitar
2 participants
Code Review Bench PR calcom#26644 - feat: api v2 team invite link endpoint
Benchmark PR for Gitar evaluation
Original PR: agentic-review-benchmarks#6
feat: api v2 team invite link endpoint
Summary by Gitar
POST /v2/teams/{teamId}/invitegenerates unique team invitation links with token and shareable URLTeamsInviteModulewithTeamsInviteControllerand DTOs following NestJS patternsRolesGuardfor invitation creationTeamService.createInvite(was returning identifier, now returns token)buildInviteLinkmethod for org context detectionThis will update automatically on new commits.