fix(rbac): Improve member removal permissions & enhance hackathon retrieval logic

[codeunia-dev]

This PR introduces improvements to RBAC logic and enhances the flexibility of hackathon data retrieval.

🔐 RBAC Fixes

• Updated company member removal permissions.
• Admins (excluding the company owner) can now remove other members as expected.
• Ensures consistent enforcement of role boundaries across the app.

🧩 Hackathon Retrieval Improvements

• Added support for fetching hackathons by either ID or slug.
• Updated dependent components/services to reflect this flexible lookup approach.
• Improves robustness when loading hackathon details from different contexts (UI, deep links, admin routing, etc.).

🎯 Why This Matters

• Fixes permission inconsistencies that previously prevented valid admin actions.
• Strengthens data-fetching logic for hackathons and reduces risk of “not found” errors.
• Provides a cleaner, more maintainable foundation for upcoming company and hackathon features.

🗂️ Summary

• 2 commits
• 6 files changed
• Improved role-based access control
• Enhanced hackathon loading strategy

Authored by: @akshay0611

Summary by CodeRabbit

• New Features

  • Admins can now remove team members
  • Accept invitation flow no longer interrupted by authorization checks

• Bug Fixes

  • Hackathon deletion now requires owner or admin role
  • Improved error messages and handling for hackathon operations
  • Added protection preventing admins from removing owners

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
codeunia	Building	Preview	Comment	Nov 19, 2025 5:46pm

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

This pull request enhances authorization and lookup mechanisms across company member management and hackathon operations. It expands member removal permissions to include admins while preventing admins from removing owners, improves hackathon API routes with stricter authentication and better error handling, introduces a new ID/slug-based hackathon lookup utility, and extends role protection to support conditional redirect skipping for invitation flows.

Changes

Cohort / File(s)	Summary
Company member authorization app/api/companies/[slug]/members/[userId]/route.ts, components/dashboard/TeamManagement.tsx	Authorization for member removal updated to allow both 'owner' and 'admin' roles. Added guard to prevent admins from removing owners (403 response). Updated error messages and conditional UI rendering to reflect new permission model.
Hackathon API operations app/api/hackathons/[id]/route.ts	GET/PUT/DELETE routes enhanced with improved error handling. DELETE now requires 'owner' or 'admin' roles (previously any membership). All routes now return explicit error responses on failure. Added standardized response payload format with success flag and message field.
Hackathon service layer lib/services/hackathons.ts	New utility method getHackathonByIdOrSlug() added for flexible lookup. updateHackathon() and deleteHackathon() method signatures changed from slug-only to accept ID or slug parameter. Delete operations now resolve ID before deletion and include cache clearing.
Role protection and dashboard lib/hooks/useRoleProtection.ts, app/dashboard/company/layout.tsx	Hook signature extended with optional { skipRedirect?: boolean } parameter. Dashboard layout updated to detect accept-invitation page and pass skipRedirect flag to skip role-based redirects during invitation acceptance flow.

Sequence Diagram(s)

sequenceDiagram
    participant Admin as Admin User
    participant UI as TeamManagement UI
    participant API as Members API
    
    rect rgb(200, 220, 240)
    Note over Admin,API: New Admin Flow - Remove Member
    end
    
    Admin->>UI: Click Remove Member (non-owner)
    activate UI
    UI->>UI: Check canRemoveMembers<br/>(owner OR admin)
    UI->>UI: Check: isOwner(targetMember)?
    UI-->>Admin: Show Remove option
    deactivate UI
    
    Admin->>API: DELETE /members/[userId]
    activate API
    API->>API: Verify user is owner/admin
    alt Target is Owner
        API-->>Admin: 403 Forbidden<br/>Only owners can remove owners
    else Target is Member
        API->>API: Remove member & send email
        API-->>Admin: 204 Success
    end
    deactivate API

Loading

sequenceDiagram
    participant Req as Request Handler
    participant Service as HackathonsService
    participant DB as Database
    
    rect rgb(220, 240, 200)
    Note over Req,DB: Delete Hackathon - Enhanced Auth & Lookup
    end
    
    Req->>Req: Verify user is owner/admin
    alt Not Authorized
        Req-->>Req: 403 Forbidden
    else Authorized
        Req->>Service: deleteHackathon(idOrSlug)
        activate Service
        Service->>Service: getHackathonByIdOrSlug(idOrSlug)
        Service->>DB: Query by ID or slug
        DB-->>Service: Hackathon found
        alt Not Found
            Service-->>Req: null
        else Found
            Service->>DB: DELETE hackathon by ID
            Service->>Service: Clear cache
            Service-->>Req: Success
        end
        deactivate Service
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• app/api/hackathons/[id]/route.ts requires careful review of authorization changes (owner/admin distinction), error handling paths across GET/PUT/DELETE, and response payload consistency
• lib/services/hackathons.ts introduces new lookup logic and changes method signatures; verify ID/slug resolution works correctly and cache clearing behavior
• app/dashboard/company/layout.tsx uses pathname-based conditional logic for redirect skipping; ensure the accept-invitation page path matches and doesn't interfere with other layouts
• app/api/companies/[slug]/members/[userId]/route.ts authorization changes must ensure owner-removal guard doesn't break existing removal flows

Possibly related PRs

• fix(company-dashboard): Use effective company slug fallback and enhance role protection redirect #336 — Modifies app/dashboard/company/layout.tsx and useRoleProtection hook with similar pathname awareness and skipRedirect logic for authorization flows
• Fix/companyhackathons — Improve Hackathon Tracking & Add Registration Endpoints #339 — Updates hackathon API and service lookup logic, including changes to ID/slug-based retrieval in the same files
• feat(company): Implement team member role system and pending invitation handling #328 — Modifies company member APIs (app/api/companies/[slug]/members/[userId]/route.ts) and TeamManagement component with related role permission adjustments

Poem

🐰 Admins hop into the ring,
Owner gates? The rabbits spring!
IDs and slugs, now both aligned,
Redirects skip on invites signed,
Auth renewed, defenses tight! 🔐

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/rbac

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f797ec9 and fa1c0bc.

📒 Files selected for processing (6)

• app/api/companies/[slug]/members/[userId]/route.ts (5 hunks)
• app/api/hackathons/[id]/route.ts (10 hunks)
• app/dashboard/company/layout.tsx (6 hunks)
• components/dashboard/TeamManagement.tsx (4 hunks)
• lib/hooks/useRoleProtection.ts (4 hunks)
• lib/services/hackathons.ts (4 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}