Fix public study room join validation and preserve private room access controls#707
Open
akashgoudsidduluri wants to merge 3 commits into
Open
Conversation
## Summary Users were unable to join public study rooms through the API despite satisfying access requirements. This fix implements a secure RPC-based join mechanism with proper access controls. ## Changes Made ### Database Migration (supabase/migrations/20260603000000_join_public_study_room_rpc.sql) - Created 'join_public_study_room' RPC function with SECURITY DEFINER - Enforces explicit row-level security checks at database level - Validates room exists before allowing join - Prevents non-creators from joining private rooms - Implements idempotent join (ON CONFLICT DO NOTHING) - Updated study_room_participants RLS INSERT policy ### Frontend Updates - Updated StudyRooms.tsx: - Implemented handleJoinRoom function calling join_public_study_room RPC - Shows 'Join' button only for public rooms or room creators - Displays 'Invite only' label for private rooms - Added proper error handling with user feedback - Updated Room.tsx: - Modified fetchRoomDetails to auto-register user via RPC - Proper error handling for unauthorized private room access - Redirects to /rooms on access denied ### Testing - Created comprehensive unit tests (backend/tests/studyRooms.test.js) - Public room join functionality - Private room access restrictions - Idempotent join behavior - Error handling and edge cases - Created integration tests (backend/tests/studyRooms.integration.test.js) - Complete user workflows - RLS policy enforcement - UI state consistency - Concurrent join scenarios ## Acceptance Criteria Met ✓ Public rooms can be joined successfully ✓ Private room restrictions remain enforced ✓ Capacity checks continue to function ✓ Room membership records are created correctly ✓ Existing functionality is unaffected ## Security Considerations - RPC uses SECURITY DEFINER with explicit search_path - RLS policies enforce access control at database level - Idempotent operations prevent race conditions - Private room protection at both API and database layers
|
@akashgoudsidduluri is attempting to deploy a commit to the durdana3105's projects Team on Vercel. A member of the Team first needs to authorize it. |
Contributor
Author
|
Hey @durdana3105 can you review this PR. |
Owner
|
thi branch have merge conflicts. please resolve it |
Contributor
Author
|
Hey @durdana3105 i have resolved the conflicts, you can review it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Description
Overview
This PR fixes an issue where authenticated users were incorrectly blocked from joining public study rooms through the API despite satisfying access requirements.
The update refactors join-room validation logic to correctly distinguish between public and private room workflows while preserving existing permission checks, room protections, and capacity validation behavior.
Fixes #663
Problem
Public study rooms should allow authenticated users to join without invitation-based permissions. However, the existing validation flow applied restrictive permission checks too early or inconsistently, causing valid join attempts to fail.
This created unintended access denial for public rooms while affecting overall room usability.
Changes Made
Join Room API Fixes
Updated the join-room workflow to:
Permission Logic Review
Reviewed and refined:
Workflow Improvements
Public room flow:
Private room flow:
Tests Added
Regression Coverage
Added tests covering:
Public Room Access
Private Room Protection
Capacity Validation
Validation
Automated Testing
Verified:
Manual Verification
Tested:
Impact
This PR restores expected accessibility for public study rooms while maintaining existing security and room management protections.
No unrelated business logic or database behavior was modified.
tabase layers