fix: members page with member:modify (#6561)

Author: n1ru4l

integration-tests/tests/api/oidc-integrations/crud.spec.ts

@@ -933,3 +933,54 @@ describe('restrictions', () => {
     },
   );
 });
+
+test.concurrent(
+  'Organization.oidcIntegration resolves to null without error if user does not have oidc:modify permission',
+  async ({ expect }) => {
+    const seed = initSeed();
+    const { createOrg, ownerToken } = await seed.createOwner();
+    const { organization, inviteAndJoinMember } = await createOrg();
+    const { createMemberRole, assignMemberRole, updateMemberRole, memberToken, member } =
+      await inviteAndJoinMember();
+
+    await execute({
+      document: CreateOIDCIntegrationMutation,
+      variables: {
+        input: {
+          organizationId: organization.id,
+          clientId: 'aaaa',
+          clientSecret: 'aaaaaaaaaaaa',
+          tokenEndpoint: 'http://localhost:8888/aaaa/token',
+          userinfoEndpoint: 'http://localhost:8888/aaaa/userinfo',
+          authorizationEndpoint: 'http://localhost:8888/aaaa/authorize',
+        },
+      },
+      authToken: ownerToken,
+    }).then(r => r.expectNoGraphQLErrors());
+
+    const role = await createMemberRole([]);
+    await assignMemberRole({ roleId: role.id, userId: member.id });
+
+    let result = await execute({
+      document: OrganizationWithOIDCIntegration,
+      variables: {
+        organizationSlug: organization.slug,
+      },
+      authToken: memberToken,
+    }).then(r => r.expectNoGraphQLErrors());
+
+    expect(result.organization!.organization.oidcIntegration).toEqual(null);
+
+    await updateMemberRole(role, ['oidc:modify']);
+
+    result = await execute({
+      document: OrganizationWithOIDCIntegration,
+      variables: {
+        organizationSlug: organization.slug,
+      },
+      authToken: memberToken,
+    }).then(r => r.expectNoGraphQLErrors());
+
+    expect(result.organization!.organization.oidcIntegration).not.toEqual(null);
+  },
+);

integration-tests/tests/api/organization/members.spec.ts

@@ -1,3 +1,5 @@
+import { graphql } from 'testkit/gql';
+import { execute } from 'testkit/graphql';
 import { history } from '../../../testkit/emails';
 import { initSeed } from '../../../testkit/seed';
 
@@ -141,3 +143,53 @@ test.concurrent(
     expect(otherJoinResult.joinOrganization.__typename).toBe('OrganizationInvitationError');
   },
 );
+
+const OrganizationInvitationsQuery = graphql(`
+  query OrganizationInvitationsQuery($organizationSlug: String!) {
+    organization: organizationBySlug(organizationSlug: $organizationSlug) {
+      id
+      invitations {
+        total
+        nodes {
+          id
+        }
+      }
+    }
+  }
+`);
+
+test.concurrent(
+  'Organization.invitations resolves to null without error if user does not have member:modify permission',
+  async ({ expect }) => {
+    const seed = initSeed();
+    const { createOrg } = await seed.createOwner();
+    const { organization, inviteAndJoinMember } = await createOrg();
+    const { createMemberRole, assignMemberRole, updateMemberRole, memberToken, member } =
+      await inviteAndJoinMember();
+
+    const role = await createMemberRole([]);
+    await assignMemberRole({ roleId: role.id, userId: member.id });
+
+    let result = await execute({
+      document: OrganizationInvitationsQuery,
+      variables: {
+        organizationSlug: organization.slug,
+      },
+      authToken: memberToken,
+    }).then(r => r.expectNoGraphQLErrors());
+
+    expect(result.organization!.invitations).toEqual(null);
+
+    await updateMemberRole(role, ['member:modify']);
+
+    result = await execute({
+      document: OrganizationInvitationsQuery,
+      variables: {
+        organizationSlug: organization.slug,
+      },
+      authToken: memberToken,
+    }).then(r => r.expectNoGraphQLErrors());
+
+    expect(result.organization!.invitations).not.toEqual(null);
+  },
+);

packages/services/api/src/modules/oidc-integrations/providers/oidc-integrations.provider.ts

@@ -60,14 +60,18 @@ export class OIDCIntegrationsProvider {
       return null;
     }
 
-    await this.session.assertPerformAction({
+    const canPerformAction = await this.session.canPerformAction({
       organizationId: args.organizationId,
       action: 'oidc:modify',
       params: {
         organizationId: args.organizationId,
       },
     });
 
+    if (canPerformAction === false) {
+      return null;
+    }
+
     return await this.storage.getOIDCIntegrationForOrganization({
       organizationId: args.organizationId,
     });

packages/services/api/src/modules/organization/providers/organization-manager.ts

@@ -239,15 +239,19 @@ export class OrganizationManager {
 
   @cache((selector: OrganizationSelector) => selector.organizationId)
   async getInvitations(selector: OrganizationSelector) {
-    await this.session.assertPerformAction({
+    const canAccessInvitations = await this.session.canPerformAction({
       action: 'member:modify',
       organizationId: selector.organizationId,
       params: {
         organizationId: selector.organizationId,
       },
     });
 
-    return this.storage.getOrganizationInvitations(selector);
+    if (!canAccessInvitations) {
+      return null;
+    }
+
+    return await this.storage.getOrganizationInvitations(selector);
   }
 
   async getOrganizationOwner(selector: OrganizationSelector) {

packages/services/api/src/modules/organization/resolvers/Organization.ts

@@ -66,6 +66,10 @@ export const Organization: Pick<
       organizationId: organization.id,
     });
 
+    if (invitations === null) {
+      return null;
+    }
+
     return {
       total: invitations.length,
       nodes: invitations,