Skip to content

feat: add new endpoint to retrieve member by external id #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
smarcet wants to merge 1 commit into
base: main
Choose a base branch
from
+154 −1
Open

feat: add new endpoint to retrieve member by external id #526

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions app/Http/Controllers/Apis/Protected/Main/OAuth2MembersApiController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -501,6 +501,50 @@ public function addMyAffiliation()
return $this->addAffiliation('me');
}

#[OA\Get(
path: '/api/v1/members/external/{external_id}',
operationId: 'getMemberByIdExternalId',
summary: 'Get member by external Id',
description: 'Returns a member profile by External Id',
tags: ['Members'],
x: [
'required-groups' => [
IGroup::SuperAdmins,
IGroup::Administrators,
IGroup::SummitAdministrators,
]
],
security: [['members_oauth2' => [
MemberScopes::ReadMemberData,
]]],
parameters: [
new OA\Parameter(name: 'external_id', in: 'path', required: true, description: 'Member External ID', schema: new OA\Schema(type: 'integer')),
new OA\Parameter(name: 'expand', in: 'query', required: false, description: 'Expand relationships', schema: new OA\Schema(type: 'string')),
],
responses: [
new OA\Response(
response: Response::HTTP_OK,
description: 'Successful operation',
content: new OA\JsonContent(ref: '#/components/schemas/Member')
),
new OA\Response(response: Response::HTTP_UNAUTHORIZED, description: 'Unauthorized'),
new OA\Response(response: Response::HTTP_NOT_FOUND, description: 'Member not found'),
]
)]
public function getMemberByIdExternalId($external_id){
return $this->processRequest(function() use($external_id){
$member = $this->repository->getByExternalId($external_id);
if(is_null($member))
throw new EntityNotFoundException("Member not found by external Id.");
return $this->ok(SerializerRegistry::getInstance()->getSerializer($member, SerializerRegistry::SerializerType_Private)->serialize
(
SerializerUtils::getExpand(),
SerializerUtils::getFields(),
SerializerUtils::getRelations()
));
Comment on lines +539 to +544
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Use admin/public serialization policy, not private serialization, for cross-member lookup.

This endpoint fetches another member record, but it currently serializes with SerializerType_Private (self-profile level). That is inconsistent with getById and can overexpose member fields.

Suggested change 
-            return $this->ok(SerializerRegistry::getInstance()->getSerializer($member, SerializerRegistry::SerializerType_Private)->serialize
+            return $this->ok(SerializerRegistry::getInstance()->getSerializer($member, SerializerRegistry::SerializerType_Admin)->serialize
             (
                 SerializerUtils::getExpand(),
                 SerializerUtils::getFields(),
                 SerializerUtils::getRelations()
             ));
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
return $this->ok(SerializerRegistry::getInstance()->getSerializer($member, SerializerRegistry::SerializerType_Private)->serialize
(
SerializerUtils::getExpand(),
SerializerUtils::getFields(),
SerializerUtils::getRelations()
));
return $this->ok(SerializerRegistry::getInstance()->getSerializer($member, SerializerRegistry::SerializerType_Admin)->serialize
(
SerializerUtils::getExpand(),
SerializerUtils::getFields(),
SerializerUtils::getRelations()
));
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@app/Http/Controllers/Apis/Protected/Main/OAuth2MembersApiController.php`
around lines 539 - 544, The code is serializing a fetched member with
SerializerRegistry::SerializerType_Private which exposes self-profile fields;
change the serializer to use the public/admin policy instead (e.g., replace
SerializerRegistry::SerializerType_Private with
SerializerRegistry::SerializerType_Public to match getById) in
OAuth2MembersApiController where getSerializer($member, ...) is called so
cross-member lookups don't use private serialization.

});
}

#[OA\Post(
path: '/api/v1/members/{member_id}/affiliations',
operationId: 'addMemberAffiliation',
Expand Down
94 changes: 94 additions & 0 deletions database/migrations/config/Version20260410172200.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
<?php namespace Database\Migrations\Config;
/**
* Copyright 2026 OpenStack Foundation
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* http://www.apache.org/licenses/LICENSE-2.0
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/

use Doctrine\Migrations\AbstractMigration;
use Doctrine\DBAL\Schema\Schema;
use App\Security\MemberScopes;
use App\Models\Foundation\Main\IGroup;

/**
* Migration to seed the get-member-by-external-id endpoint.
*
* Adds:
* - 1 api_endpoints row (get-member-by-external-id)
* - 1 endpoint_api_scopes association (ReadMemberData)
* - 3 endpoint_api_authz_groups rows (super-admins, administrators, summit-front-end-administrators)
*
* All INSERTs are idempotent via WHERE NOT EXISTS.
*/
final class Version20260410172200 extends AbstractMigration
{
use APIEndpointsMigrationHelper;

private const API_NAME = 'members';
private const ENDPOINT_NAME = 'get-member-by-external-id';
private const ENDPOINT_ROUTE = '/api/v1/members/external/{external_id}';

public function getDescription(): string
{
return 'Seed get-member-by-external-id endpoint with scope and authz groups';
}

/**
* @param Schema $schema
*/
public function up(Schema $schema): void
{
$scope = MemberScopes::ReadMemberData;

// 1. Insert the endpoint
$this->addSql($this->insertEndpoint(
self::API_NAME,
self::ENDPOINT_NAME,
self::ENDPOINT_ROUTE,
'GET'
));

// 2. Insert endpoint_api_scopes association
$this->addSql($this->insertEndpointScope(self::API_NAME, self::ENDPOINT_NAME, $scope));

// 3. Insert endpoint_api_authz_groups
$authzGroups = [
IGroup::SuperAdmins,
IGroup::Administrators,
IGroup::SummitAdministrators,
];

foreach ($authzGroups as $groupSlug) {
$this->addSql($this->insertEndpointAuthzGroup(self::API_NAME, self::ENDPOINT_NAME, $groupSlug));
}
}

/**
* @param Schema $schema
*/
public function down(Schema $schema): void
{
$scope = MemberScopes::ReadMemberData;

// Reverse order: authz groups → endpoint scopes → endpoint
$authzGroups = [
IGroup::SuperAdmins,
IGroup::Administrators,
IGroup::SummitAdministrators,
];

foreach ($authzGroups as $groupSlug) {
$this->addSql($this->deleteEndpointAuthzGroup(self::API_NAME, self::ENDPOINT_NAME, $groupSlug));
}

$this->addSql($this->deleteScopesEndpoints(self::API_NAME, [$scope]));
$this->addSql($this->deleteEndpoint(self::API_NAME, self::ENDPOINT_NAME));
}
}
11 changes: 11 additions & 0 deletions database/seeders/ApiEndpointsSeeder.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9410,6 +9410,17 @@ private function seedMemberEndpoints()
'http_method' => 'GET',
'scopes' => [MemberScopes::ReadMemberData],
],
[
'name' => 'get-member-by-external-id',
'route' => '/api/v1/members/external/{external_id}',
'http_method' => 'GET',
'scopes' => [MemberScopes::ReadMemberData],
'authz_groups' => [
IGroup::SuperAdmins,
IGroup::Administrators,
IGroup::SummitAdministrators,
]
],
[
'name' => 'get-my-member',
'route' => '/api/v1/members/me',
Expand Down
6 changes: 5 additions & 1 deletion routes/api_v1.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,11 @@
// members
Route::group(['prefix' => 'members'], function () {
Route::get('', 'OAuth2MembersApiController@getAll');

Route::group(['prefix' => 'external'], function () {
Route::group(['prefix' => '{external_id}'], function () {
Route::get('', ['middleware' => 'auth.user', 'uses' => 'OAuth2MembersApiController@getMemberByIdExternalId']);
});
Comment on lines +27 to +30
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Constrain external_id to numeric values at the routing boundary.

{external_id} is currently unconstrained. Add a where clause so invalid path values are rejected before hitting the controller.

Suggested change 
-    Route::group(['prefix' => '{external_id}'], function () {
+    Route::group(['prefix' => '{external_id}', 'where' => ['external_id' => '[0-9]+']], function () {
         Route::get('',  ['middleware' => 'auth.user', 'uses' => 'OAuth2MembersApiController@getMemberByIdExternalId']);
     });
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Route::group(['prefix' => 'external'], function () {
Route::group(['prefix' => '{external_id}'], function () {
Route::get('', ['middleware' => 'auth.user', 'uses' => 'OAuth2MembersApiController@getMemberByIdExternalId']);
});
Route::group(['prefix' => 'external'], function () {
Route::group(['prefix' => '{external_id}', 'where' => ['external_id' => '[0-9]+']], function () {
Route::get('', ['middleware' => 'auth.user', 'uses' => 'OAuth2MembersApiController@getMemberByIdExternalId']);
});
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@routes/api_v1.php` around lines 27 - 30, The route parameter {external_id} is
unconstrained and should be limited to digits to reject invalid paths before
controller handling; update the routing to add a numeric where constraint (e.g.
apply where('external_id', '[0-9]+') either on the inner Route::group for the
'{external_id}' prefix or chain ->where(...) on the Route::get) so that
OAuth2MembersApiController@getMemberByIdExternalId only receives numeric
external_id values.

});
Route::group(['prefix' => 'me'], function () {
// get my member info
Route::get('', 'OAuth2MembersApiController@getMyMember');
Expand Down
Loading