feat: allow users to remove themselves from a vault#290
Conversation
Add POST /v1/vaults/{name}/leave endpoint and frontend UI for users
to leave vaults they have explicit access to. Guards against the last
admin leaving a vault.
|
💬 Discussion in Slack: #pr-review-agent-vault-290-feat-allow-users-to-remove-themselves-from-a-vault Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
|
| Filename | Overview |
|---|---|
| internal/server/handle_vaults.go | Adds handleVaultLeave handler with correct guards: scoped-session check, explicit-grant check, and last-admin block. Error-handling follows existing patterns in the file. |
| internal/server/server.go | Registers POST /v1/vaults/{name}/leave with the full middleware chain including limitBody, consistent with all other mutating vault routes. |
| internal/server/server_test.go | Adds four test cases: successful member leave, last-admin blocked (409), admin leaves with a second admin present, and no-access rejection (403). Coverage is solid. |
| web/src/pages/home/VaultsListTab.tsx | Adds leave icon to VaultCard and a confirmation Modal; vault name is properly URI-encoded in the API call. The canLeave guard contains a dead is_default branch (always undefined in the list response) but causes no functional issue. |
| web/src/pages/vault/UsersTab.tsx | Exposes Leave vault action in the current-user row's DropdownMenu for all roles; non-admin other-user rows correctly return null. Post-leave navigation to "/" is correct. Both modals lack a submitting/disabled state on the confirm button. |
Reviews (2): Last reviewed commit: "fix: add limitBody wrapper to leave rout..." | Re-trigger Greptile
PR overviewAll previously flagged issues have been addressed. No open security concerns remain on this pull request. Security reviewNo open security issues remain on this pull request. Fixed/addressed: 1 · PR risk: 0/10 |
|
@greptile review |
Summary
Adds
POST /v1/vaults/{name}/leaveendpoint and corresponding frontend UI so users can remove themselves from a vault. Previously the only way to lose vault access was for an admin to remove you or to delete the entire vault.Backend - new
handleVaultLeavehandler that revokes the caller's own vault grant. Guards:Frontend - two entry points:
Both surfaces open a confirmation modal before calling the API. Leaving from the Users tab redirects to the home page.
Type of change
Test plan
make test)Security checklist