fix: cannot use direct crud user update method #998
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 2 files
Prompt for AI agents (all 3 issues)
Understand the root cause of the following 3 issues and fix them.
<file name="backend/airweave/crud/crud_user.py">
<violation number="1" location="backend/airweave/crud/crud_user.py:54">
Rule violated: **Check for Cursor Rules Drift**
Documenting this unauthenticated update path is required: the new `update_user_no_auth` method bypasses the CRUD invariant that every operation requires an ApiContext, so `.cursor/rules/crud-layer.mdc` must be updated to describe this exception to keep Cursor guidance accurate.</violation>
<violation number="2" location="backend/airweave/crud/crud_user.py:66">
Calling self.get here omits the required current_user argument, so update_user_no_auth will raise a TypeError and never reach the commit/refresh.</violation>
</file>
<file name="backend/airweave/api/deps.py">
<violation number="1" location="backend/airweave/api/deps.py:55">
Passing the ORM user into update_user_no_auth will crash this auth path because the method expects a UserUpdate schema and calls model_dump() on it; authentication will fail here.</violation>
</file>
React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| id (UUID): The UUID of the user to update. | ||
| obj_in (UserUpdate): The updated user object. | ||
| """ | ||
| user = await self.get(db, id=id) |
There was a problem hiding this comment.
Calling self.get here omits the required current_user argument, so update_user_no_auth will raise a TypeError and never reach the commit/refresh.
Prompt for AI agents
Address the following comment on backend/airweave/crud/crud_user.py at line 66:
<comment>Calling self.get here omits the required current_user argument, so update_user_no_auth will raise a TypeError and never reach the commit/refresh.</comment>
<file context>
@@ -51,6 +51,29 @@ async def get_by_email(self, db: AsyncSession, *, email: str) -> Optional[User]:
+ id (UUID): The UUID of the user to update.
+ obj_in (UserUpdate): The updated user object.
+ """
+ user = await self.get(db, id=id)
+ if not user:
+ raise NotFoundException(f"User with ID {id} not found")
</file context>
| ) | ||
| # Update last active timestamp directly (can't use CRUD during auth flow) | ||
| user.last_active_at = datetime.utcnow() | ||
| user = await crud.user.update_user_no_auth(db, id=user.id, obj_in=user) |
There was a problem hiding this comment.
Passing the ORM user into update_user_no_auth will crash this auth path because the method expects a UserUpdate schema and calls model_dump() on it; authentication will fail here.
Prompt for AI agents
Address the following comment on backend/airweave/api/deps.py at line 55:
<comment>Passing the ORM user into update_user_no_auth will crash this auth path because the method expects a UserUpdate schema and calls model_dump() on it; authentication will fail here.</comment>
<file context>
@@ -50,13 +50,9 @@ async def _authenticate_auth0_user(
- )
+ # Update last active timestamp directly (can't use CRUD during auth flow)
+ user.last_active_at = datetime.utcnow()
+ user = await crud.user.update_user_no_auth(db, id=user.id, obj_in=user)
user_context = schemas.User.model_validate(user)
</file context>
Suggested change
| user = await crud.user.update_user_no_auth(db, id=user.id, obj_in=user) | |
| user = await crud.user.update_user_no_auth(db, id=user.id, obj_in=schemas.UserUpdate(last_active_at=user.last_active_at)) |
| raise NotFoundException(f"User with email {email} not found") | ||
| return db_obj | ||
|
|
||
| async def update_user_no_auth(self, db: AsyncSession, *, id: UUID, obj_in: UserUpdate) -> User: |
There was a problem hiding this comment.
Rule violated: Check for Cursor Rules Drift
Documenting this unauthenticated update path is required: the new update_user_no_auth method bypasses the CRUD invariant that every operation requires an ApiContext, so .cursor/rules/crud-layer.mdc must be updated to describe this exception to keep Cursor guidance accurate.
Prompt for AI agents
Address the following comment on backend/airweave/crud/crud_user.py at line 54:
<comment>Documenting this unauthenticated update path is required: the new `update_user_no_auth` method bypasses the CRUD invariant that every operation requires an ApiContext, so `.cursor/rules/crud-layer.mdc` must be updated to describe this exception to keep Cursor guidance accurate.</comment>
<file context>
@@ -51,6 +51,29 @@ async def get_by_email(self, db: AsyncSession, *, email: str) -> Optional[User]:
raise NotFoundException(f"User with email {email} not found")
return db_obj
+ async def update_user_no_auth(self, db: AsyncSession, *, id: UUID, obj_in: UserUpdate) -> User:
+ """Update a user without authentication.
+
</file context>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Fixes user activity timestamp updates during Auth0 login by adding a safe no-auth CRUD path and using it in the auth flow. Prevents errors when updating user data before a session exists.