fix(user): allow request managers to view user quotas

[dougrathbone]

Description

The GET /:id/quota endpoint had a permission check requiring both MANAGE_USERS AND MANAGE_REQUESTS to view another user's quota. This meant users with only MANAGE_REQUESTS (request managers) received a 403 when trying to view any user's quota, even though viewing quotas is fundamental to managing requests.

Changed { type: 'and' } to { type: 'or' } so either role can access quota information.

Note: If this is genuinely meant to be an AND check (i.e. requiring both roles intentionally), I'll close this. I couldn't see anywhere in the codebase or history that suggested this wasn't just a bug though.

How Has This Been Tested?

Manually reviewed the hasPermission call and traced through the permission model. The type: 'or' behaviour matches how similar dual-role checks are handled elsewhere in the codebase (e.g. GET /request which uses [Permission.MANAGE_REQUESTS, Permission.REQUEST_VIEW] with { type: 'or' }).

Screenshots / Logs (if applicable)

N/A — single character logic change, no UI difference.

Checklist:

• I have read and followed the contribution guidelines.
• Disclosed any use of AI (see our policy)
• I have updated the documentation accordingly.
• All new and existing tests passed.
• Successful build pnpm build
• Translation keys pnpm i18n:extract
• Database migration (if required)

AI disclosure: I used Claude to help identify this issue while doing a broader audit of permission checks across the codebase.

[coderabbitai]

📝 Walkthrough

Walkthrough

The permission check for the GET /:id/quota endpoint has been updated from an AND logic ({ type: 'and' }) to an OR logic ({ type: 'or' }), allowing users with either MANAGE_USERS or MANAGE_REQUESTS permission to access the endpoint instead of requiring both.

Changes

Cohort / File(s)	Summary
Permission Authorization Logic server/routes/user/index.ts	Modified permission gating for GET /:id/quota endpoint from AND-combined permissions to OR-combined permissions for MANAGE_USERS and MANAGE_REQUESTS checks.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A gate swings wide, two locks now one,
Either key will do—the deed is done!
From "both required" to "either's fine,"
Access flows more freely down the line. ✨

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: enabling request managers to view user quotas via a permission logic fix.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}