feat: provision, activate, and reclaim namespace member accounts#6626
Conversation
|
Claude finished @gustavosbarreto's task in 15m 31s —— View job Code Review CompleteReviewed 40 files across code quality, security, testing, language patterns, and architecture. 1 inline issue posted (1 critical). The bulk of the PR is well-built: the single-transaction provisioning, the one-time/24h Redis activation token, the nginx public/private split ( Additional notes (not tied to a single line)
To request another review round, comment |
Adding a member by an email with no account now provisions a not-confirmed account and its membership in one step, instead of failing with "user must already exist". The invitee completes the account through a one-time activation link (a set-password token in Redis, 24h TTL, single use), so an admin never handles a password. On self-hosted Enterprise a namespace admin who is not a system admin can provision too, but the account is created awaiting approval and stays inert until a system admin approves it. Only an admin can mint the activation link for an unapproved account; once approved, a namespace admin who manages the member can mint it too. Community keeps the "must already exist" behavior unless the capability is on. Removing the last membership of a bound single-namespace instance now deletes the orphaned member account.
|
/review |
83dfb56 to
0fd5b79
Compare
|
Claude finished @gustavosbarreto's task in 8m 53s —— View job Code Review CompleteReviewed 42 files across code quality, security, testing, language patterns, and architecture — no new issues found. The one material issue in this PR — the account-takeover on Notes from this round (context, not new findings):
To request another review round, comment |
|
/review |
Code Review CompleteThe automated review ran but did not post an updated summary — this usually means no new issues were found since the previous review. If you've pushed changes and want a fresh pass, comment |
Adding a member by an email that has no account used to fail with "user
must already exist", forcing that person to self-register before they
could be added. This adds the missing lane: the member is provisioned on
the spot.
Adding such a member now creates a not-confirmed account and its
namespace membership in a single transaction. The invitee finishes the
account through a one-time activation link (a set-password token in
Redis, 24h TTL, consumed on use), so an admin never sees or handles a
password.
On self-hosted Enterprise a namespace admin who is not a system admin can
provision too, but the account is created awaiting approval and stays
inert until a system admin approves it. Only a system admin can mint the
activation link for an unapproved account; once approved, a namespace
admin who manages the member can mint it as well. Community keeps the
"must already exist" behavior unless the capability is enabled.
Removing a member's last namespace membership on a bound single-namespace
instance now reclaims the orphaned account, since there it can neither
self-register nor own a namespace.
The approval side (the Enterprise capability toggle and the system-admin
approve endpoint) lands in shellhub-io/cloud.