Phase 3: Roles & permissions enforcement with guards, member management, and admin panel
Centralize permission checks into guards.ts (requireAuth, requireBoardView, requireBoardEditor, requireBoardOwner, requireColumnEditor, requireCardEditor, requireBoardMemberManager, requireTenantAdmin) that fetch entities and check permissions in a single call, replacing ~100 lines of duplicated inline checks across all API routes. Adds board member management (add by email, change role, remove with last-owner protection), tenant admin panel (user role toggle with last-admin protection, board overview), and fixes missing view guard on card GET. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,71 @@
|
||||
import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { changeMemberRoleSchema } from '$lib/server/validation.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
import { requireBoardMemberManager } from '$lib/server/guards.js';
|
||||
|
||||
// Change member role
|
||||
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
|
||||
const body = await request.json();
|
||||
const result = changeMemberRoleSchema.safeParse(body);
|
||||
if (!result.success) {
|
||||
return json({ error: result.error.issues[0].message }, { status: 400 });
|
||||
}
|
||||
|
||||
const updated = await withTenant(tenant.id, async (tx) => {
|
||||
await requireBoardMemberManager(tx, locals.user, params.boardId, tenant.id);
|
||||
|
||||
const member = await tx.boardMember.findFirst({
|
||||
where: { id: params.memberId, boardId: params.boardId }
|
||||
});
|
||||
if (!member) throw error(404, 'Member not found');
|
||||
|
||||
// Prevent demoting the last owner
|
||||
if (member.role === 'OWNER' && result.data.role !== 'OWNER') {
|
||||
const ownerCount = await tx.boardMember.count({
|
||||
where: { boardId: params.boardId, role: 'OWNER' }
|
||||
});
|
||||
if (ownerCount <= 1) throw error(400, 'Cannot demote the last owner');
|
||||
}
|
||||
|
||||
return tx.boardMember.update({
|
||||
where: { id: params.memberId },
|
||||
data: { role: result.data.role },
|
||||
include: {
|
||||
user: { select: { id: true, name: true, email: true, avatarUrl: true } }
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
return json({ member: updated });
|
||||
};
|
||||
|
||||
// Remove member
|
||||
export const DELETE: RequestHandler = async ({ params, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
|
||||
await withTenant(tenant.id, async (tx) => {
|
||||
await requireBoardMemberManager(tx, locals.user, params.boardId, tenant.id);
|
||||
|
||||
const member = await tx.boardMember.findFirst({
|
||||
where: { id: params.memberId, boardId: params.boardId }
|
||||
});
|
||||
if (!member) throw error(404, 'Member not found');
|
||||
|
||||
// Prevent removing the last owner
|
||||
if (member.role === 'OWNER') {
|
||||
const ownerCount = await tx.boardMember.count({
|
||||
where: { boardId: params.boardId, role: 'OWNER' }
|
||||
});
|
||||
if (ownerCount <= 1) throw error(400, 'Cannot remove the last owner');
|
||||
}
|
||||
|
||||
await tx.boardMember.delete({ where: { id: params.memberId } });
|
||||
});
|
||||
|
||||
return json({ ok: true });
|
||||
};
|
||||
Reference in New Issue
Block a user