Phase 3: Roles & permissions enforcement with guards, member management, and admin panel
Centralize permission checks into guards.ts (requireAuth, requireBoardView, requireBoardEditor, requireBoardOwner, requireColumnEditor, requireCardEditor, requireBoardMemberManager, requireTenantAdmin) that fetch entities and check permissions in a single call, replacing ~100 lines of duplicated inline checks across all API routes. Adds board member management (add by email, change role, remove with last-owner protection), tenant admin panel (user role toggle with last-admin protection, board overview), and fixes missing view guard on card GET. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -2,6 +2,7 @@ import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { boardSchema } from '$lib/server/validation.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
import { requireBoardView, requireBoardEditor, requireBoardOwner } from '$lib/server/guards.js';
|
||||
|
||||
// Get single board with all columns and cards
|
||||
export const GET: RequestHandler = async ({ params, locals }) => {
|
||||
@@ -9,43 +10,9 @@ export const GET: RequestHandler = async ({ params, locals }) => {
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
|
||||
const board = await withTenant(tenant.id, async (tx) => {
|
||||
return tx.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: {
|
||||
columns: {
|
||||
orderBy: { position: 'asc' },
|
||||
include: {
|
||||
cards: {
|
||||
where: { archived: false },
|
||||
orderBy: { position: 'asc' },
|
||||
include: {
|
||||
assignees: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
},
|
||||
labels: { include: { tag: true } },
|
||||
_count: { select: { comments: true, checklists: true, attachments: true } }
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
members: {
|
||||
include: { user: { select: { id: true, name: true, email: true, avatarUrl: true } } }
|
||||
}
|
||||
}
|
||||
});
|
||||
return requireBoardView(tx, locals.user, params.boardId, tenant.id);
|
||||
});
|
||||
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
|
||||
// Check access
|
||||
if (board.visibility === 'PRIVATE') {
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
const isMember = board.members.some((m) => m.userId === locals.user!.id);
|
||||
const isAdmin =
|
||||
locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
|
||||
if (!isMember && !isAdmin) throw error(403, 'Access denied');
|
||||
}
|
||||
|
||||
return json({ board });
|
||||
};
|
||||
|
||||
@@ -53,7 +20,6 @@ export const GET: RequestHandler = async ({ params, locals }) => {
|
||||
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const body = await request.json();
|
||||
const result = boardSchema.partial().safeParse(body);
|
||||
@@ -62,17 +28,7 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
}
|
||||
|
||||
const updated = await withTenant(tenant.id, async (tx) => {
|
||||
const board = await tx.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: { members: true }
|
||||
});
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
|
||||
const member = board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin =
|
||||
locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit boards');
|
||||
await requireBoardEditor(tx, locals.user, params.boardId, tenant.id);
|
||||
|
||||
return tx.board.update({
|
||||
where: { id: params.boardId },
|
||||
@@ -87,20 +43,9 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
export const DELETE: RequestHandler = async ({ params, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
await withTenant(tenant.id, async (tx) => {
|
||||
const board = await tx.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: { members: true }
|
||||
});
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
|
||||
const member = board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin =
|
||||
locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (member?.role !== 'OWNER' && !isAdmin) throw error(403, 'Only owners can delete boards');
|
||||
|
||||
await requireBoardOwner(tx, locals.user, params.boardId, tenant.id);
|
||||
await tx.board.delete({ where: { id: params.boardId } });
|
||||
});
|
||||
|
||||
|
||||
@@ -3,12 +3,12 @@ import type { RequestHandler } from './$types.js';
|
||||
import { columnSchema } from '$lib/server/validation.js';
|
||||
import { generatePosition } from '$lib/utils/fractional-index.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
import { requireBoardEditor } from '$lib/server/guards.js';
|
||||
|
||||
// Create column
|
||||
export const POST: RequestHandler = async ({ params, request, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const body = await request.json();
|
||||
const result = columnSchema.safeParse(body);
|
||||
@@ -17,16 +17,7 @@ export const POST: RequestHandler = async ({ params, request, locals }) => {
|
||||
}
|
||||
|
||||
const column = await withTenant(tenant.id, async (tx) => {
|
||||
const board = await tx.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: { members: true }
|
||||
});
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
|
||||
const member = board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot add columns');
|
||||
await requireBoardEditor(tx, locals.user, params.boardId, tenant.id);
|
||||
|
||||
// Get the last column position
|
||||
const lastColumn = await tx.column.findFirst({
|
||||
|
||||
@@ -2,26 +2,17 @@ import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { columnSchema, moveColumnSchema } from '$lib/server/validation.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
import { requireColumnEditor } from '$lib/server/guards.js';
|
||||
|
||||
// Update column title
|
||||
// Update column title or position
|
||||
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const body = await request.json();
|
||||
|
||||
const updated = await withTenant(tenant.id, async (tx) => {
|
||||
const column = await tx.column.findFirst({
|
||||
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
|
||||
include: { board: { include: { members: true } } }
|
||||
});
|
||||
if (!column) throw error(404, 'Column not found');
|
||||
|
||||
const member = column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit columns');
|
||||
await requireColumnEditor(tx, locals.user, params.columnId, params.boardId, tenant.id);
|
||||
|
||||
// Allow both title update and position update
|
||||
if (body.position !== undefined) {
|
||||
@@ -53,20 +44,9 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
export const DELETE: RequestHandler = async ({ params, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
await withTenant(tenant.id, async (tx) => {
|
||||
const column = await tx.column.findFirst({
|
||||
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
|
||||
include: { board: { include: { members: true } } }
|
||||
});
|
||||
if (!column) throw error(404, 'Column not found');
|
||||
|
||||
const member = column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (member?.role === 'VIEWER' && !isAdmin) throw error(403, 'Viewers cannot delete columns');
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
|
||||
await requireColumnEditor(tx, locals.user, params.columnId, params.boardId, tenant.id);
|
||||
await tx.column.delete({ where: { id: params.columnId } });
|
||||
});
|
||||
|
||||
|
||||
@@ -3,12 +3,12 @@ import type { RequestHandler } from './$types.js';
|
||||
import { cardSchema } from '$lib/server/validation.js';
|
||||
import { generatePosition } from '$lib/utils/fractional-index.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
import { requireColumnEditor } from '$lib/server/guards.js';
|
||||
|
||||
// Create card in column
|
||||
export const POST: RequestHandler = async ({ params, request, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const body = await request.json();
|
||||
const result = cardSchema.safeParse(body);
|
||||
@@ -17,16 +17,7 @@ export const POST: RequestHandler = async ({ params, request, locals }) => {
|
||||
}
|
||||
|
||||
const card = await withTenant(tenant.id, async (tx) => {
|
||||
const column = await tx.column.findFirst({
|
||||
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
|
||||
include: { board: { include: { members: true } } }
|
||||
});
|
||||
if (!column) throw error(404, 'Column not found');
|
||||
|
||||
const member = column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot add cards');
|
||||
await requireColumnEditor(tx, locals.user, params.columnId, params.boardId, tenant.id);
|
||||
|
||||
// Get the last card position in this column
|
||||
const lastCard = await tx.card.findFirst({
|
||||
|
||||
@@ -2,6 +2,8 @@ import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { cardSchema, moveCardSchema } from '$lib/server/validation.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
import { requireBoardView, requireCardEditor } from '$lib/server/guards.js';
|
||||
import { canViewBoard } from '$lib/server/permissions.js';
|
||||
|
||||
// Get single card with full details
|
||||
export const GET: RequestHandler = async ({ params, locals }) => {
|
||||
@@ -9,7 +11,8 @@ export const GET: RequestHandler = async ({ params, locals }) => {
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
|
||||
const card = await withTenant(tenant.id, async (tx) => {
|
||||
return tx.card.findFirst({
|
||||
// Fetch the card with board membership info for access check
|
||||
const result = await tx.card.findFirst({
|
||||
where: {
|
||||
id: params.cardId,
|
||||
column: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } }
|
||||
@@ -28,12 +31,29 @@ export const GET: RequestHandler = async ({ params, locals }) => {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
},
|
||||
attachments: { orderBy: { createdAt: 'desc' } },
|
||||
column: { select: { id: true, title: true } }
|
||||
column: {
|
||||
select: {
|
||||
id: true,
|
||||
title: true,
|
||||
board: {
|
||||
select: { visibility: true, members: true }
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
});
|
||||
});
|
||||
if (!result) throw error(404, 'Card not found');
|
||||
|
||||
if (!card) throw error(404, 'Card not found');
|
||||
// Check view permission on the board
|
||||
if (!canViewBoard(locals.user, result.column.board.visibility, result.column.board.members)) {
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
throw error(403, 'Access denied');
|
||||
}
|
||||
|
||||
// Strip nested board data from response
|
||||
const { board: _, ...columnData } = result.column;
|
||||
return { ...result, column: columnData };
|
||||
});
|
||||
|
||||
return json({ card });
|
||||
};
|
||||
@@ -42,24 +62,11 @@ export const GET: RequestHandler = async ({ params, locals }) => {
|
||||
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const body = await request.json();
|
||||
|
||||
const updated = await withTenant(tenant.id, async (tx) => {
|
||||
const card = await tx.card.findFirst({
|
||||
where: {
|
||||
id: params.cardId,
|
||||
column: { board: { id: params.boardId, tenantId: tenant.id } }
|
||||
},
|
||||
include: { column: { include: { board: { include: { members: true } } } } }
|
||||
});
|
||||
if (!card) throw error(404, 'Card not found');
|
||||
|
||||
const member = card.column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit cards');
|
||||
await requireCardEditor(tx, locals.user, params.cardId, params.boardId, tenant.id);
|
||||
|
||||
// Handle move (column change + position)
|
||||
if (body.columnId !== undefined || body.position !== undefined) {
|
||||
@@ -110,23 +117,9 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
export const DELETE: RequestHandler = async ({ params, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
await withTenant(tenant.id, async (tx) => {
|
||||
const card = await tx.card.findFirst({
|
||||
where: {
|
||||
id: params.cardId,
|
||||
column: { board: { id: params.boardId, tenantId: tenant.id } }
|
||||
},
|
||||
include: { column: { include: { board: { include: { members: true } } } } }
|
||||
});
|
||||
if (!card) throw error(404, 'Card not found');
|
||||
|
||||
const member = card.column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot delete cards');
|
||||
|
||||
await requireCardEditor(tx, locals.user, params.cardId, params.boardId, tenant.id);
|
||||
await tx.card.delete({ where: { id: params.cardId } });
|
||||
});
|
||||
|
||||
|
||||
@@ -0,0 +1,48 @@
|
||||
import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { addMemberSchema } from '$lib/server/validation.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
import { requireBoardMemberManager } from '$lib/server/guards.js';
|
||||
|
||||
// Add member by email
|
||||
export const POST: RequestHandler = async ({ params, request, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
|
||||
const body = await request.json();
|
||||
const result = addMemberSchema.safeParse(body);
|
||||
if (!result.success) {
|
||||
return json({ error: result.error.issues[0].message }, { status: 400 });
|
||||
}
|
||||
|
||||
const { email, role } = result.data;
|
||||
|
||||
const member = await withTenant(tenant.id, async (tx) => {
|
||||
await requireBoardMemberManager(tx, locals.user, params.boardId, tenant.id);
|
||||
|
||||
// Find user by email within this tenant
|
||||
const targetUser = await tx.user.findFirst({
|
||||
where: { email, tenantId: tenant.id }
|
||||
});
|
||||
if (!targetUser) throw error(404, 'No user found with that email in this workspace');
|
||||
|
||||
// Check if already a member
|
||||
const existing = await tx.boardMember.findFirst({
|
||||
where: { boardId: params.boardId, userId: targetUser.id }
|
||||
});
|
||||
if (existing) throw error(409, 'User is already a member of this board');
|
||||
|
||||
return tx.boardMember.create({
|
||||
data: {
|
||||
boardId: params.boardId,
|
||||
userId: targetUser.id,
|
||||
role
|
||||
},
|
||||
include: {
|
||||
user: { select: { id: true, name: true, email: true, avatarUrl: true } }
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
return json({ member }, { status: 201 });
|
||||
};
|
||||
@@ -0,0 +1,71 @@
|
||||
import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { changeMemberRoleSchema } from '$lib/server/validation.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
import { requireBoardMemberManager } from '$lib/server/guards.js';
|
||||
|
||||
// Change member role
|
||||
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
|
||||
const body = await request.json();
|
||||
const result = changeMemberRoleSchema.safeParse(body);
|
||||
if (!result.success) {
|
||||
return json({ error: result.error.issues[0].message }, { status: 400 });
|
||||
}
|
||||
|
||||
const updated = await withTenant(tenant.id, async (tx) => {
|
||||
await requireBoardMemberManager(tx, locals.user, params.boardId, tenant.id);
|
||||
|
||||
const member = await tx.boardMember.findFirst({
|
||||
where: { id: params.memberId, boardId: params.boardId }
|
||||
});
|
||||
if (!member) throw error(404, 'Member not found');
|
||||
|
||||
// Prevent demoting the last owner
|
||||
if (member.role === 'OWNER' && result.data.role !== 'OWNER') {
|
||||
const ownerCount = await tx.boardMember.count({
|
||||
where: { boardId: params.boardId, role: 'OWNER' }
|
||||
});
|
||||
if (ownerCount <= 1) throw error(400, 'Cannot demote the last owner');
|
||||
}
|
||||
|
||||
return tx.boardMember.update({
|
||||
where: { id: params.memberId },
|
||||
data: { role: result.data.role },
|
||||
include: {
|
||||
user: { select: { id: true, name: true, email: true, avatarUrl: true } }
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
return json({ member: updated });
|
||||
};
|
||||
|
||||
// Remove member
|
||||
export const DELETE: RequestHandler = async ({ params, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
|
||||
await withTenant(tenant.id, async (tx) => {
|
||||
await requireBoardMemberManager(tx, locals.user, params.boardId, tenant.id);
|
||||
|
||||
const member = await tx.boardMember.findFirst({
|
||||
where: { id: params.memberId, boardId: params.boardId }
|
||||
});
|
||||
if (!member) throw error(404, 'Member not found');
|
||||
|
||||
// Prevent removing the last owner
|
||||
if (member.role === 'OWNER') {
|
||||
const ownerCount = await tx.boardMember.count({
|
||||
where: { boardId: params.boardId, role: 'OWNER' }
|
||||
});
|
||||
if (ownerCount <= 1) throw error(400, 'Cannot remove the last owner');
|
||||
}
|
||||
|
||||
await tx.boardMember.delete({ where: { id: params.memberId } });
|
||||
});
|
||||
|
||||
return json({ ok: true });
|
||||
};
|
||||
Reference in New Issue
Block a user