refactor(codeql): decompose complex conditions + harden Vite web-root check

[rlorenzo]

What

1. Decompose complex boolean conditions (cs/complex-condition), behavior-preserving:

• CMS.CheckFilePermission — early-return guard clauses; resolve the user's permissions once into an OrdinalIgnoreCase HashSet instead of an O(n²) per-permission scan.
• ViteProxyHelpers.CreateProxyRequest — methodSupportsBody / hasReadableBody named bools.

2. Fix a directory-boundary bug (folded-in follow-up): the Vite static-file path check used resolvedPhysical.StartsWith(resolvedWebRoot), which a sibling like wwwroot-secret would pass. Append a trailing separator (via Path.EndsInDirectorySeparator) so the check respects the directory boundary.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 11.53846% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 44.49%. Comparing base (1a0996e) to head (933006c).

Files with missing lines	Patch %	Lines
web/Areas/CMS/Data/CMS.cs	0.00%	16 Missing ⚠️
web/ViteProxyHelpers.cs	30.00%	4 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #227      +/-   ##
==========================================
- Coverage   44.51%   44.49%   -0.02%     
==========================================
  Files         895      895              
  Lines       51760    51778      +18     
  Branches     4827     4834       +7     
==========================================
  Hits        23041    23041              
- Misses      28149    28165      +16     
- Partials      570      572       +2     

Flag	Coverage Δ
backend	44.65% <11.53%> (-0.02%)	⬇️
frontend	41.32% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

[codecov-commenter]

Bundle Report

Bundle size has no change ✅

[Copilot]

Pull request overview

Refactors several complex boolean conditions into named sub-conditions / guard clauses to address CodeQL cs/complex-condition findings while keeping behavior the same.

Changes:

• CMS.CheckFilePermission: adds an early-return for public files and extracts permission checks into named booleans.
• ScheduleEditService: deduplicates duplicate/constraint message checks via a helper method.
• ViteProxyHelpers.CreateProxyRequest: extracts named booleans for “method supports body” and “has readable body”.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
web/ViteProxyHelpers.cs	Simplifies proxy request body-copy condition via named booleans.
web/Areas/CMS/Data/CMS.cs	Refactors CMS file permission logic into guard clause + named condition variables.
web/Areas/ClinicalScheduler/Services/ScheduleEditService.cs	Extracts DB constraint/duplicate detection into a helper for reuse.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[rlorenzo]

@coderabbitai full review

[coderabbitai]

✅ Action performed

Full review finished.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR refactors CMS file-permission evaluation into ordered early returns and updates Vite proxy helpers to gate request-body copying and tighten static-file fallback path containment checks.

Changes

CMS file permission evaluation

Layer / File(s)	Summary
Permission checks web/Areas/CMS/Data/CMS.cs	CheckFilePermission now evaluates public access, empty-permission secure access, explicit permission matches, and explicit people matches through ordered early returns after building a case-insensitive user-permission set once.

Vite proxy request and fallback handling

Layer / File(s)	Summary
Request body gating web/ViteProxyHelpers.cs	CreateProxyRequest now uses case-insensitive GET/HEAD checks and a separate readable-body test before copying request content.
Fallback path boundary web/ViteProxyHelpers.cs	HandleProxyError now appends a directory separator to resolvedWebRoot before the containment check against the resolved file path.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ucdavis/VIPER#190: Also changes web/ViteProxyHelpers.cs static-file fallback path handling and traversal-related path construction.

Suggested reviewers

• bsedwards

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the refactor and Vite web-root hardening in the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The description matches the PR changes, covering the permission refactor, request body logic cleanup, and the directory-boundary fix.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/codeql-complex-condition

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}