Private
Public Access
1
0

Phase 3: Roles & permissions enforcement with guards, member management, and admin panel

Centralize permission checks into guards.ts (requireAuth, requireBoardView,
requireBoardEditor, requireBoardOwner, requireColumnEditor, requireCardEditor,
requireBoardMemberManager, requireTenantAdmin) that fetch entities and check
permissions in a single call, replacing ~100 lines of duplicated inline checks
across all API routes. Adds board member management (add by email, change role,
remove with last-owner protection), tenant admin panel (user role toggle with
last-admin protection, board overview), and fixes missing view guard on card GET.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Catherine Renelle
2026-02-25 23:13:29 -05:00
parent bd12160ebb
commit 9b5708af64
18 changed files with 747 additions and 182 deletions
@@ -2,26 +2,17 @@ import { json, error } from '@sveltejs/kit';
import type { RequestHandler } from './$types.js';
import { columnSchema, moveColumnSchema } from '$lib/server/validation.js';
import { withTenant } from '$lib/server/rls.js';
import { requireColumnEditor } from '$lib/server/guards.js';
// Update column title
// Update column title or position
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const body = await request.json();
const updated = await withTenant(tenant.id, async (tx) => {
const column = await tx.column.findFirst({
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
include: { board: { include: { members: true } } }
});
if (!column) throw error(404, 'Column not found');
const member = column.board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit columns');
await requireColumnEditor(tx, locals.user, params.columnId, params.boardId, tenant.id);
// Allow both title update and position update
if (body.position !== undefined) {
@@ -53,20 +44,9 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
export const DELETE: RequestHandler = async ({ params, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
await withTenant(tenant.id, async (tx) => {
const column = await tx.column.findFirst({
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
include: { board: { include: { members: true } } }
});
if (!column) throw error(404, 'Column not found');
const member = column.board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
if (member?.role === 'VIEWER' && !isAdmin) throw error(403, 'Viewers cannot delete columns');
if (!member && !isAdmin) throw error(403, 'Access denied');
await requireColumnEditor(tx, locals.user, params.columnId, params.boardId, tenant.id);
await tx.column.delete({ where: { id: params.columnId } });
});
@@ -3,12 +3,12 @@ import type { RequestHandler } from './$types.js';
import { cardSchema } from '$lib/server/validation.js';
import { generatePosition } from '$lib/utils/fractional-index.js';
import { withTenant } from '$lib/server/rls.js';
import { requireColumnEditor } from '$lib/server/guards.js';
// Create card in column
export const POST: RequestHandler = async ({ params, request, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const body = await request.json();
const result = cardSchema.safeParse(body);
@@ -17,16 +17,7 @@ export const POST: RequestHandler = async ({ params, request, locals }) => {
}
const card = await withTenant(tenant.id, async (tx) => {
const column = await tx.column.findFirst({
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
include: { board: { include: { members: true } } }
});
if (!column) throw error(404, 'Column not found');
const member = column.board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot add cards');
await requireColumnEditor(tx, locals.user, params.columnId, params.boardId, tenant.id);
// Get the last card position in this column
const lastCard = await tx.card.findFirst({
@@ -2,6 +2,8 @@ import { json, error } from '@sveltejs/kit';
import type { RequestHandler } from './$types.js';
import { cardSchema, moveCardSchema } from '$lib/server/validation.js';
import { withTenant } from '$lib/server/rls.js';
import { requireBoardView, requireCardEditor } from '$lib/server/guards.js';
import { canViewBoard } from '$lib/server/permissions.js';
// Get single card with full details
export const GET: RequestHandler = async ({ params, locals }) => {
@@ -9,7 +11,8 @@ export const GET: RequestHandler = async ({ params, locals }) => {
if (!tenant) throw error(400, 'Unknown tenant');
const card = await withTenant(tenant.id, async (tx) => {
return tx.card.findFirst({
// Fetch the card with board membership info for access check
const result = await tx.card.findFirst({
where: {
id: params.cardId,
column: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } }
@@ -28,12 +31,29 @@ export const GET: RequestHandler = async ({ params, locals }) => {
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
},
attachments: { orderBy: { createdAt: 'desc' } },
column: { select: { id: true, title: true } }
column: {
select: {
id: true,
title: true,
board: {
select: { visibility: true, members: true }
}
}
}
}
});
});
if (!result) throw error(404, 'Card not found');
if (!card) throw error(404, 'Card not found');
// Check view permission on the board
if (!canViewBoard(locals.user, result.column.board.visibility, result.column.board.members)) {
if (!locals.user) throw error(401, 'Not authenticated');
throw error(403, 'Access denied');
}
// Strip nested board data from response
const { board: _, ...columnData } = result.column;
return { ...result, column: columnData };
});
return json({ card });
};
@@ -42,24 +62,11 @@ export const GET: RequestHandler = async ({ params, locals }) => {
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const body = await request.json();
const updated = await withTenant(tenant.id, async (tx) => {
const card = await tx.card.findFirst({
where: {
id: params.cardId,
column: { board: { id: params.boardId, tenantId: tenant.id } }
},
include: { column: { include: { board: { include: { members: true } } } } }
});
if (!card) throw error(404, 'Card not found');
const member = card.column.board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit cards');
await requireCardEditor(tx, locals.user, params.cardId, params.boardId, tenant.id);
// Handle move (column change + position)
if (body.columnId !== undefined || body.position !== undefined) {
@@ -110,23 +117,9 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
export const DELETE: RequestHandler = async ({ params, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
await withTenant(tenant.id, async (tx) => {
const card = await tx.card.findFirst({
where: {
id: params.cardId,
column: { board: { id: params.boardId, tenantId: tenant.id } }
},
include: { column: { include: { board: { include: { members: true } } } } }
});
if (!card) throw error(404, 'Card not found');
const member = card.column.board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot delete cards');
await requireCardEditor(tx, locals.user, params.cardId, params.boardId, tenant.id);
await tx.card.delete({ where: { id: params.cardId } });
});