Fix admin viewer unable to see all organizations

[ryan-crabbe]

Type

🐛 Bug Fix

Changes

The /organization/list endpoint only checked for PROXY_ADMIN role, causing PROXY_ADMIN_VIEW_ONLY users to fall into the else branch which restricts results to orgs the user is a member of. Use the existing _user_has_admin_view() helper to include both roles.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Mar 6, 2026 1:44am

[greptile-apps]

Greptile Summary

This PR fixes a bug where PROXY_ADMIN_VIEW_ONLY users were incorrectly restricted to seeing only their own organization memberships on the GET /organization/list endpoint. The single-line change replaces a direct PROXY_ADMIN role comparison with the existing _user_has_admin_view() helper, which correctly covers both PROXY_ADMIN and PROXY_ADMIN_VIEW_ONLY roles — consistent with how admin-view access is already guarded elsewhere in the codebase.

Fix is correct and minimal: swapping the hardcoded role check for the shared helper is the right approach and keeps the logic consistent with the rest of the management endpoints.

No tests included: the PR does not add any test to verify that a PROXY_ADMIN_VIEW_ONLY key now receives the full org list, leaving the fix unverified. Per project policy, bug-fix PRs should include evidence (tests) that the issue is resolved.

Confidence Score: 4/5

• Safe to merge from a code perspective — the change uses an existing, vetted helper function. The primary concern is the absence of tests to verify the fix for the PROXY_ADMIN_VIEW_ONLY role.
• The one-liner fix is correct and uses the established _user_has_admin_view() pattern already used elsewhere in the management layer. However, the PR violates project policy by not including test coverage for the bug fix. The code change itself is low-risk, but the missing verification is a concern.
• litellm/proxy/management_endpoints/organization_endpoints.py — add test coverage to verify that PROXY_ADMIN_VIEW_ONLY users receive all organizations.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GET /organization/list] --> B{_user_has_admin_view?}
    B -- "PROXY_ADMIN or\nPROXY_ADMIN_VIEW_ONLY" --> C[find_many — all orgs\nwith optional filters]
    B -- "Other role" --> D[find_many — org memberships\nfor this user]
    D --> E{Any memberships?}
    E -- No --> F[Return empty list]
    E -- Yes --> G{org_id filter provided?}
    G -- "Yes, user is member" --> H[find_many filtered by org_id]
    G -- "Yes, user not member" --> F
    G -- No --> I[find_many filtered by membership IDs]
    C --> J[Return organizations]
    H --> J
    I --> J

Loading

_{Last reviewed commit: 8d539db}

[greptile-apps]

No test coverage for the fix

The PR claims to fix a bug for PROXY_ADMIN_VIEW_ONLY users, but no test is added to verify the behaviour. Per the project's review policy, a bug-fix PR should include evidence that the issue is resolved (e.g. a unit/integration test asserting that a PROXY_ADMIN_VIEW_ONLY key returns all organisations from this endpoint).

A minimal test could mock prisma_client and assert that calling list_organization with a PROXY_ADMIN_VIEW_ONLY UserAPIKeyAuth returns all organisations rather than only the user's memberships.

Context Used: Rule from dashboard - What: Ensure that any PR claiming to fix an issue includes evidence that the issue is resolved, such... (source)