Skip membership check for IRE staff#5
Merged
Conversation
Agent-Logs-Url: https://github.com/ireapps/ire-archive-backend/sessions/8b3d94d3-a69d-4cad-a56e-400b24aa3459 Co-authored-by: palewire <9993+palewire@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix membership test for IRE staff users
Skip membership check for IRE staff
Apr 10, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts member-only access control so authenticated users with an @ire.org email can access member-only endpoints without needing an active membership.
Changes:
- Updated
require_memberto bypass the membership check for emails ending with@ire.org(case-insensitive). - Added unit tests covering staff bypass, case-insensitivity, and denial for non-matching domains/subdomains.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| app/auth/dependencies.py | Adds @ire.org staff bypass logic and updates the dependency docstring. |
| tests/test_auth/test_require_member.py | Introduces tests validating the bypass and rejection rules. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Agent-Logs-Url: https://github.com/ireapps/ire-archive-backend/sessions/70f3a9d0-b746-4a01-a85c-f9b9ad9e00b3 Co-authored-by: palewire <9993+palewire@users.noreply.github.com>
palewire
approved these changes
Apr 11, 2026
Collaborator
|
@copilot, can you fix this error in our CI? [2026-04-11][01:59:44][ruff::commands::format][DEBUG] Formatted 50 files in 12.72ms |
Agent-Logs-Url: https://github.com/ireapps/ire-archive-backend/sessions/304b40df-073c-4c2b-a1a3-26b0bf0a7f1b Co-authored-by: palewire <9993+palewire@users.noreply.github.com>
Contributor
Author
palewire
approved these changes
Apr 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Users with an
@ire.orgemail returned by the auth service should have unconditional access, bypassing the active membership requirement.Changes
app/auth/dependencies.py—require_membernow grants access whensession.emailends with@ire.org(case-insensitive), regardless ofis_active_memberapp/auth/membersuite_client.py—authenticate_and_verifyalso skips the membership check for@ire.orgemails, so IRE staff are never blocked before a session is created even whenMS_REQUIRE_MEMBERSHIP=truetests/test_auth/test_require_member.py— New test file covering: staff bypass with/without membership, case-insensitivity, and denial of non-@ire.orgaddresses (including subdomains like@staff.ire.organd lookalikes like@notire.org)tests/test_auth/test_membersuite_client.py— New test file covering the bypass inauthenticate_and_verify: active member allowed, inactive member denied, IRE staff bypass, case-insensitivity, and that similar-but-non-matching domains are still denied