Skip to content

fix/errores-despliegue-pedidos-unidad-prioridad#266

Merged
mjnizac merged 1 commit into
developfrom
fix/errores-despliegue-pedidos-unidad-prioridad
Jun 16, 2026
Merged

fix/errores-despliegue-pedidos-unidad-prioridad#266
mjnizac merged 1 commit into
developfrom
fix/errores-despliegue-pedidos-unidad-prioridad

Conversation

@mjnizac

@mjnizac mjnizac commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

Notas de la versión

  • Nuevas Características

    • Se agregó un campo de dirección en el flujo de creación de unidades durante la incorporación.
    • Se actualizó el acceso al endpoint de órdenes para requerir solo autenticación.
  • Estilo

    • Se normalizó la capitalización de las etiquetas de prioridad de órdenes en inglés y español.

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@mjnizac, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 56 minutes and 14 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fed77174-8250-4f80-8821-236433859a70

📥 Commits

Reviewing files that changed from the base of the PR and between 79d69de and 01736b4.

📒 Files selected for processing (4)
  • backend/src/main/java/com/delivera/config/SecurityConfig.java
  • frontend/src/locales/en.yml
  • frontend/src/locales/es.yml
  • frontend/src/views/auth/OnboardingView.vue

Walkthrough

El PR realiza tres cambios independientes: relaja la regla de autorización de GET /loyal-users/me/orders de rol LOYAL_USER a autenticado, agrega el campo address en el formulario de creación de unidad del onboarding (estado, validación, payload y UI), y normaliza el casing de las etiquetas de prioridad en los archivos de traducción en inglés y español.

Changes

Cambio de regla de seguridad en backend

Layer / File(s) Summary
Regla de autorización en SecurityConfig
backend/src/main/java/com/delivera/config/SecurityConfig.java
La restricción para GET {api}/loyal-users/me/orders cambia de hasRole(LOYAL_USER) a authenticated().

Cambios de frontend: onboarding y traducciones

Layer / File(s) Summary
Campo address en OnboardingView
frontend/src/views/auth/OnboardingView.vue
Se añade unitAddress como estado reactivo, se valida en createUnit y se incluye en el payload de POST /units; el step 1 agrega un campo de formulario con v-model e i18n.
Normalización de casing en etiquetas de prioridad
frontend/src/locales/en.yml, frontend/src/locales/es.yml
HIGH/NORMAL/LOW pasan a High/Normal/Low en inglés; ALTA/BAJA pasan a Alta/Baja en español.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name Status Explanation Resolution
Description check ⚠️ Warning No se proporcionó descripción del pull request. El template requiere resumen, issues relacionados, cambios realizados, tipo de cambio y checklist, pero todas estas secciones están vacías. Añade una descripción completa siguiendo el template del repositorio: incluye resumen de cambios, issues cerrados, listado de cambios realizados, selecciona el tipo de cambio aplicable y completa el checklist de validación.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive El título es genérico y no refleja claramente los cambios principales. Incluye términos vagos (fix/errores) sin especificar qué se corrigió exactamente entre los múltiples cambios (seguridad, UI, traducciones). Considerar un título más descriptivo como 'fix: autorización flexible para pedidos de usuario y validación de dirección en onboarding' que refleje los cambios principales de seguridad y funcionalidad.
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/errores-despliegue-pedidos-unidad-prioridad

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mjnizac mjnizac changed the title fix: corregir mis pedidos de usuario individual, validacion de unidad… fix/errores-despliegue-pedidos-unidad-prioridad Jun 16, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
frontend/src/views/auth/OnboardingView.vue (1)

32-39: 🏗️ Heavy lift

Extrae la creación/validación de unidad a un composable compartido.

En Line 33 y Line 38 estás metiendo validación y construcción del payload dentro del componente. Ya existe frontend/src/composables/useUnitForm.js (Line 41-77) con esta responsabilidad para /units; mantener ambos caminos en paralelo facilita la deriva de reglas.

As per coding guidelines, "Lógica reutilizable en composables (useApi.js, useValidation.js)" y "No lógica de negocio directamente en componentes".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/views/auth/OnboardingView.vue` around lines 32 - 39, The
createUnit() function in OnboardingView.vue duplicates validation and payload
construction logic that already exists in the shared composable useUnitForm.js.
Instead of manually validating unitName and unitAddress fields (lines 33-34) and
constructing the API payload (line 38), import the useUnitForm composable and
leverage its existing validation and API methods. Remove the inline validation
checks and api.post call from createUnit(), replacing them with calls to the
appropriate composable functions that handle unit validation and creation
according to the shared business rules.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/src/main/java/com/delivera/config/SecurityConfig.java`:
- Line 75: The requestMatchers configuration for the GET endpoint
`/loyal-users/me/orders` uses `authenticated()` instead of
`hasRole(LOYAL_USER)`, allowing any authenticated user regardless of role to
attempt access. While the underlying service may return an empty list for
non-loyal users, this violates the security principle of explicit role-based
access control. Either restore the `hasRole(LOYAL_USER)` requirement in the
requestMatchers call to enforce role-based authorization at the security layer,
or modify the loyalUserService.getMyOrders() method to explicitly throw an
exception (such as LoyalUserNotFoundException or AccessDeniedException) when the
authenticated user is not found in the loyal_user table, ensuring the
authorization is properly validated rather than silently failing with an empty
list.

---

Nitpick comments:
In `@frontend/src/views/auth/OnboardingView.vue`:
- Around line 32-39: The createUnit() function in OnboardingView.vue duplicates
validation and payload construction logic that already exists in the shared
composable useUnitForm.js. Instead of manually validating unitName and
unitAddress fields (lines 33-34) and constructing the API payload (line 38),
import the useUnitForm composable and leverage its existing validation and API
methods. Remove the inline validation checks and api.post call from
createUnit(), replacing them with calls to the appropriate composable functions
that handle unit validation and creation according to the shared business rules.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 05d672dc-9c45-4899-977b-cc801b5b841d

📥 Commits

Reviewing files that changed from the base of the PR and between b40bb27 and 79d69de.

📒 Files selected for processing (4)
  • backend/src/main/java/com/delivera/config/SecurityConfig.java
  • frontend/src/locales/en.yml
  • frontend/src/locales/es.yml
  • frontend/src/views/auth/OnboardingView.vue

auth.requestMatchers(HttpMethod.POST, api + "/loyal-users").hasRole(ADMIN);
auth.requestMatchers(HttpMethod.PUT, api + "/loyal-users/**").hasRole(ADMIN);
auth.requestMatchers(HttpMethod.GET, api + "/loyal-users/me/orders").hasRole(LOYAL_USER);
auth.requestMatchers(HttpMethod.GET, api + "/loyal-users/me/orders").authenticated();

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verificar la implementación de getMyOrders() para confirmar validación interna

# Buscar la implementación del método getMyOrders en el servicio
ast-grep --pattern $'public $_ getMyOrders() {
  $$$
}'

# Buscar referencias a LOYAL_USER o validaciones de rol en LoyalUserService
rg -n -C5 'getMyOrders|LOYAL_USER|loyal.*user' --type=java -g '**/LoyalUserService*.java'

# Buscar si hay validación del usuario actual como loyal user
rg -n -C3 'getCurrentUser|getAuthenticated|SecurityContext' --type=java -g '**/LoyalUserService*.java'

Repository: Delivera-Project/Delivera

Length of output: 5305


El endpoint relaja la autorización sin validación suficiente en el servicio.

El cambio de hasRole(LOYAL_USER) a authenticated() permite que cualquier usuario autenticado (ADMIN, ANALYST, OPERATOR, etc.) acceda al endpoint /loyal-users/me/orders.

Aunque loyalUserService.getMyOrders() busca internamente el usuario en la tabla loyal_user, no valida explícitamente que el usuario autenticado tenga el rol LOYAL_USER ni lanza una excepción cuando el usuario no es fidelizado. En su lugar, retorna una lista vacía (List.of()).

Esto viola la guía de codificación: "Seguridad: verifica que los endpoints estén correctamente protegidos según el rol". El endpoint debe:

  • Mantener hasRole(LOYAL_USER) en la configuración de seguridad, O
  • Lanzar una excepción en el servicio (ej. LoyalUserNotFoundException) cuando el usuario autenticado no sea un loyal user, O
  • Justificar formalmente por qué usuarios no fidelizados deben tener acceso al path /loyal-users/**
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/src/main/java/com/delivera/config/SecurityConfig.java` at line 75,
The requestMatchers configuration for the GET endpoint `/loyal-users/me/orders`
uses `authenticated()` instead of `hasRole(LOYAL_USER)`, allowing any
authenticated user regardless of role to attempt access. While the underlying
service may return an empty list for non-loyal users, this violates the security
principle of explicit role-based access control. Either restore the
`hasRole(LOYAL_USER)` requirement in the requestMatchers call to enforce
role-based authorization at the security layer, or modify the
loyalUserService.getMyOrders() method to explicitly throw an exception (such as
LoyalUserNotFoundException or AccessDeniedException) when the authenticated user
is not found in the loyal_user table, ensuring the authorization is properly
validated rather than silently failing with an empty list.

Source: Coding guidelines

@mjnizac mjnizac force-pushed the fix/errores-despliegue-pedidos-unidad-prioridad branch from 79d69de to 01736b4 Compare June 16, 2026 14:53
@vercel

vercel Bot commented Jun 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
delivera Ready Ready Preview, Comment Jun 16, 2026 2:53pm

@sonarqubecloud

Copy link
Copy Markdown

@mjnizac mjnizac merged commit 3dca950 into develop Jun 16, 2026
11 checks passed
@mjnizac mjnizac deleted the fix/errores-despliegue-pedidos-unidad-prioridad branch June 16, 2026 14:57
mjnizac added a commit that referenced this pull request Jun 16, 2026
* fix/leaflet-navigation-and-ux-bugs (#243)

* fix: Leaflet navigation crash and minor UX bugs

* fix: corregir bugs de mapas, navegación, ranking y asignación de trabajadores

* feat: ampliar datos de demo con global admin, nueva empresa y asignación de trabajadores a unidades

* fix: aplicar sugerencias CodeRabbit en mapas, layout y tests

* chore: actualizaciones de dependencias Dependabot (#253)

* fix/my-orders-sidebar-unregistered-user (#254)

* fix: mostrar mis pedidos en sidebar para usuarios LOYAL_USER

* fix: añadir campo username al formulario de reclamación de pedido

* fix: reutilizar fields.username en lugar de clave duplicada en tracking

* feat: pedidos B2B cross-org, registro desde tracking con address, validaciones y mejoras UI

* test: corregir tests tras cambios en OrderService, UnitService y WorkerService

* fix: añadir LoyalUserCompany y actualizar test useOrderForm a b2bOrganizations

* test: añadir address en test useUnitForm para pasar validación de ubicación

* test: añadir campo address en E2E de registro individual

* chore: skip commitlint en PR develop a main

* feat: panel admin global con mapa de rutas, métricas y gestión de entidades (#256)

* chore/actualizar-dependencias-dependabot (#264)

* chore: actualizar dependencias de linting frontend (oxlint, eslint-plugin-vue, vitest-eslint-plugin)

* fix: parchear vulnerabilidades vite (8.0.16) y esbuild (override 0.28.1)

* fix: errores de mis pedidos, unidad en onboarding y prioridad (#266)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant