Add user enrichment columns and user_search config hook#78
Add user enrichment columns and user_search config hook#78HamptonMakes merged 3 commits intomainfrom
Conversation
- Migration adds avatar_url, title, team, notification_preferences to coplan_users
- User model defaults notification_preferences to {} via after_initialize
- Configuration gets user_search attr_accessor for lambda-based search hook
- New API endpoint GET /api/v1/users/search?q=query with hook delegation and LIKE fallback
- ActiveAdmin registration updated to show/permit new fields
- Model and request specs for all new functionality
Part of CoPlan v2 Roadmap (Phase 1, item 4).
Amp-Thread-ID: https://ampcode.com/threads/T-019d54e9-adf1-746a-861d-3410a5d1d55c
Co-authored-by: Amp <amp@ampcode.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 00bd5ab326
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| render json: results | ||
| else | ||
| users = CoPlan::User | ||
| .where("name LIKE :q OR email LIKE :q", q: "%#{query}%") |
There was a problem hiding this comment.
The fallback query interpolates user input directly into a LIKE pattern ("%#{query}%") without escaping % and _, so an authenticated caller can pass wildcard-only input (for example q=%) and get an arbitrary slice of the entire user directory, including emails. This turns a typeahead endpoint into a user-enumeration surface whenever user_search is not configured; treat query text literally (e.g., via sanitize_sql_like) before building the pattern.
Useful? React with 👍 / 👎.
…ough user_json - Use sanitize_sql_like to prevent wildcard injection in search query - Unify both hook and fallback branches through user_json serialization - ALLOWED_FIELDS constant ensures only safe fields are returned - Spec verifies extra fields from hook results are stripped Amp-Thread-ID: https://ampcode.com/threads/T-019d54e9-adf1-746a-861d-3410a5d1d55c Co-authored-by: Amp <amp@ampcode.com>
… example Amp-Thread-ID: https://ampcode.com/threads/T-019d54e9-adf1-746a-861d-3410a5d1d55c Co-authored-by: Amp <amp@ampcode.com>
1 participant
Summary
Enriches CoPlan user profiles with display fields and adds a configurable user search hook for @-mention typeahead (Phase 2).
Changes
avatar_url,title,team,notification_preferences(JSON) tocoplan_usersnotification_preferencesdefaults to{}viaafter_initialize; ransackable_attributes updateduser_searchattr_accessor accepting a lambda(query) -> [user_hashes]GET /api/v1/users/search?q=query— delegates to hook if configured, falls back to LIKE on name/emailTesting
522 non-system specs pass. System specs are unrelated Capybara/MySQL deadlock issues pre-existing on main.
Part of CoPlan v2 Roadmap (Phase 1, item 4).