Phase 2: Enforce Row-Level Security at the PostgreSQL level
- Rewrite rls.ts with withTenant()/withBypassRLS() using parameterized set_config() in interactive Prisma transactions (no SQL injection) - Add FORCE ROW LEVEL SECURITY on all 15 tenant-scoped tables - Add __bypass__ sentinel and WITH CHECK clauses to every RLS policy - Explicitly DISABLE RLS on tenants, tenant_hostnames, sessions - Wrap all API route and page loader queries in withTenant() - Wrap validateSession() in withBypassRLS() (joins RLS-protected users) - Keep existing tenantId where-clause filters as optimization layer - Add postgresql-client to Dockerfile and auto-apply RLS via entrypoint Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,36 +1,37 @@
|
||||
import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { prisma } from '$lib/server/db.js';
|
||||
import { boardSchema } from '$lib/server/validation.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
|
||||
// List boards for current tenant
|
||||
export const GET: RequestHandler = async ({ locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
|
||||
const where: Record<string, unknown> = { tenantId: tenant.id, archived: false };
|
||||
const boards = await withTenant(tenant.id, async (tx) => {
|
||||
const where: Record<string, unknown> = { tenantId: tenant.id, archived: false };
|
||||
|
||||
// If not logged in, only show public boards
|
||||
if (!locals.user) {
|
||||
where.visibility = 'PUBLIC';
|
||||
} else {
|
||||
// Show boards user is a member of + public boards
|
||||
where.OR = [
|
||||
{ visibility: 'PUBLIC' },
|
||||
{ members: { some: { userId: locals.user.id } } }
|
||||
];
|
||||
delete where.visibility;
|
||||
}
|
||||
// If not logged in, only show public boards
|
||||
if (!locals.user) {
|
||||
where.visibility = 'PUBLIC';
|
||||
} else {
|
||||
// Show boards user is a member of + public boards
|
||||
where.OR = [
|
||||
{ visibility: 'PUBLIC' },
|
||||
{ members: { some: { userId: locals.user.id } } }
|
||||
];
|
||||
}
|
||||
|
||||
const boards = await prisma.board.findMany({
|
||||
where,
|
||||
include: {
|
||||
members: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
return tx.board.findMany({
|
||||
where,
|
||||
include: {
|
||||
members: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
},
|
||||
_count: { select: { columns: true } }
|
||||
},
|
||||
_count: { select: { columns: true } }
|
||||
},
|
||||
orderBy: { updatedAt: 'desc' }
|
||||
orderBy: { updatedAt: 'desc' }
|
||||
});
|
||||
});
|
||||
|
||||
return json({ boards });
|
||||
@@ -50,24 +51,26 @@ export const POST: RequestHandler = async ({ request, locals }) => {
|
||||
|
||||
const { title, description, visibility } = result.data;
|
||||
|
||||
const board = await prisma.board.create({
|
||||
data: {
|
||||
tenantId: tenant.id,
|
||||
title,
|
||||
description,
|
||||
visibility,
|
||||
members: {
|
||||
create: {
|
||||
userId: locals.user.id,
|
||||
role: 'OWNER'
|
||||
const board = await withTenant(tenant.id, async (tx) => {
|
||||
return tx.board.create({
|
||||
data: {
|
||||
tenantId: tenant.id,
|
||||
title,
|
||||
description,
|
||||
visibility,
|
||||
members: {
|
||||
create: {
|
||||
userId: locals.user!.id,
|
||||
role: 'OWNER'
|
||||
}
|
||||
}
|
||||
},
|
||||
include: {
|
||||
members: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
}
|
||||
}
|
||||
},
|
||||
include: {
|
||||
members: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
}
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
return json({ board }, { status: 201 });
|
||||
|
||||
@@ -1,36 +1,38 @@
|
||||
import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { prisma } from '$lib/server/db.js';
|
||||
import { boardSchema } from '$lib/server/validation.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
|
||||
// Get single board with all columns and cards
|
||||
export const GET: RequestHandler = async ({ params, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
|
||||
const board = await prisma.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: {
|
||||
columns: {
|
||||
orderBy: { position: 'asc' },
|
||||
include: {
|
||||
cards: {
|
||||
where: { archived: false },
|
||||
orderBy: { position: 'asc' },
|
||||
include: {
|
||||
assignees: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
},
|
||||
labels: { include: { tag: true } },
|
||||
_count: { select: { comments: true, checklists: true, attachments: true } }
|
||||
const board = await withTenant(tenant.id, async (tx) => {
|
||||
return tx.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: {
|
||||
columns: {
|
||||
orderBy: { position: 'asc' },
|
||||
include: {
|
||||
cards: {
|
||||
where: { archived: false },
|
||||
orderBy: { position: 'asc' },
|
||||
include: {
|
||||
assignees: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
},
|
||||
labels: { include: { tag: true } },
|
||||
_count: { select: { comments: true, checklists: true, attachments: true } }
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
members: {
|
||||
include: { user: { select: { id: true, name: true, email: true, avatarUrl: true } } }
|
||||
}
|
||||
},
|
||||
members: {
|
||||
include: { user: { select: { id: true, name: true, email: true, avatarUrl: true } } }
|
||||
}
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
@@ -53,27 +55,29 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const board = await prisma.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: { members: true }
|
||||
});
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
|
||||
const member = board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin =
|
||||
locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit boards');
|
||||
|
||||
const body = await request.json();
|
||||
const result = boardSchema.partial().safeParse(body);
|
||||
if (!result.success) {
|
||||
return json({ error: result.error.issues[0].message }, { status: 400 });
|
||||
}
|
||||
|
||||
const updated = await prisma.board.update({
|
||||
where: { id: params.boardId },
|
||||
data: result.data
|
||||
const updated = await withTenant(tenant.id, async (tx) => {
|
||||
const board = await tx.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: { members: true }
|
||||
});
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
|
||||
const member = board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin =
|
||||
locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit boards');
|
||||
|
||||
return tx.board.update({
|
||||
where: { id: params.boardId },
|
||||
data: result.data
|
||||
});
|
||||
});
|
||||
|
||||
return json({ board: updated });
|
||||
@@ -85,18 +89,20 @@ export const DELETE: RequestHandler = async ({ params, locals }) => {
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const board = await prisma.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: { members: true }
|
||||
await withTenant(tenant.id, async (tx) => {
|
||||
const board = await tx.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: { members: true }
|
||||
});
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
|
||||
const member = board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin =
|
||||
locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (member?.role !== 'OWNER' && !isAdmin) throw error(403, 'Only owners can delete boards');
|
||||
|
||||
await tx.board.delete({ where: { id: params.boardId } });
|
||||
});
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
|
||||
const member = board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin =
|
||||
locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
|
||||
if (member?.role !== 'OWNER' && !isAdmin) throw error(403, 'Only owners can delete boards');
|
||||
|
||||
await prisma.board.delete({ where: { id: params.boardId } });
|
||||
|
||||
return json({ ok: true });
|
||||
};
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { prisma } from '$lib/server/db.js';
|
||||
import { columnSchema } from '$lib/server/validation.js';
|
||||
import { generatePosition } from '$lib/utils/fractional-index.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
|
||||
// Create column
|
||||
export const POST: RequestHandler = async ({ params, request, locals }) => {
|
||||
@@ -10,40 +10,42 @@ export const POST: RequestHandler = async ({ params, request, locals }) => {
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const board = await prisma.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: { members: true }
|
||||
});
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
|
||||
const member = board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot add columns');
|
||||
|
||||
const body = await request.json();
|
||||
const result = columnSchema.safeParse(body);
|
||||
if (!result.success) {
|
||||
return json({ error: result.error.issues[0].message }, { status: 400 });
|
||||
}
|
||||
|
||||
// Get the last column position
|
||||
const lastColumn = await prisma.column.findFirst({
|
||||
where: { boardId: params.boardId },
|
||||
orderBy: { position: 'desc' }
|
||||
});
|
||||
const column = await withTenant(tenant.id, async (tx) => {
|
||||
const board = await tx.board.findFirst({
|
||||
where: { id: params.boardId, tenantId: tenant.id },
|
||||
include: { members: true }
|
||||
});
|
||||
if (!board) throw error(404, 'Board not found');
|
||||
|
||||
const position = generatePosition(lastColumn?.position, null);
|
||||
const member = board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot add columns');
|
||||
|
||||
const column = await prisma.column.create({
|
||||
data: {
|
||||
boardId: params.boardId,
|
||||
title: result.data.title,
|
||||
position
|
||||
},
|
||||
include: {
|
||||
cards: true
|
||||
}
|
||||
// Get the last column position
|
||||
const lastColumn = await tx.column.findFirst({
|
||||
where: { boardId: params.boardId },
|
||||
orderBy: { position: 'desc' }
|
||||
});
|
||||
|
||||
const position = generatePosition(lastColumn?.position, null);
|
||||
|
||||
return tx.column.create({
|
||||
data: {
|
||||
boardId: params.boardId,
|
||||
title: result.data.title,
|
||||
position
|
||||
},
|
||||
include: {
|
||||
cards: true
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
return json({ column }, { status: 201 });
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { prisma } from '$lib/server/db.js';
|
||||
import { columnSchema, moveColumnSchema } from '$lib/server/validation.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
|
||||
// Update column title
|
||||
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
@@ -9,40 +9,41 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const column = await prisma.column.findFirst({
|
||||
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
|
||||
include: { board: { include: { members: true } } }
|
||||
});
|
||||
if (!column) throw error(404, 'Column not found');
|
||||
|
||||
const member = column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit columns');
|
||||
|
||||
const body = await request.json();
|
||||
|
||||
// Allow both title update and position update
|
||||
if (body.position !== undefined) {
|
||||
const result = moveColumnSchema.safeParse(body);
|
||||
if (!result.success) {
|
||||
return json({ error: result.error.issues[0].message }, { status: 400 });
|
||||
}
|
||||
const updated = await prisma.column.update({
|
||||
where: { id: params.columnId },
|
||||
data: { position: result.data.position }
|
||||
const updated = await withTenant(tenant.id, async (tx) => {
|
||||
const column = await tx.column.findFirst({
|
||||
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
|
||||
include: { board: { include: { members: true } } }
|
||||
});
|
||||
return json({ column: updated });
|
||||
}
|
||||
if (!column) throw error(404, 'Column not found');
|
||||
|
||||
const result = columnSchema.safeParse(body);
|
||||
if (!result.success) {
|
||||
return json({ error: result.error.issues[0].message }, { status: 400 });
|
||||
}
|
||||
const member = column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit columns');
|
||||
|
||||
const updated = await prisma.column.update({
|
||||
where: { id: params.columnId },
|
||||
data: { title: result.data.title }
|
||||
// Allow both title update and position update
|
||||
if (body.position !== undefined) {
|
||||
const result = moveColumnSchema.safeParse(body);
|
||||
if (!result.success) {
|
||||
throw error(400, result.error.issues[0].message);
|
||||
}
|
||||
return tx.column.update({
|
||||
where: { id: params.columnId },
|
||||
data: { position: result.data.position }
|
||||
});
|
||||
}
|
||||
|
||||
const result = columnSchema.safeParse(body);
|
||||
if (!result.success) {
|
||||
throw error(400, result.error.issues[0].message);
|
||||
}
|
||||
|
||||
return tx.column.update({
|
||||
where: { id: params.columnId },
|
||||
data: { title: result.data.title }
|
||||
});
|
||||
});
|
||||
|
||||
return json({ column: updated });
|
||||
@@ -54,18 +55,20 @@ export const DELETE: RequestHandler = async ({ params, locals }) => {
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const column = await prisma.column.findFirst({
|
||||
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
|
||||
include: { board: { include: { members: true } } }
|
||||
await withTenant(tenant.id, async (tx) => {
|
||||
const column = await tx.column.findFirst({
|
||||
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
|
||||
include: { board: { include: { members: true } } }
|
||||
});
|
||||
if (!column) throw error(404, 'Column not found');
|
||||
|
||||
const member = column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (member?.role === 'VIEWER' && !isAdmin) throw error(403, 'Viewers cannot delete columns');
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
|
||||
await tx.column.delete({ where: { id: params.columnId } });
|
||||
});
|
||||
if (!column) throw error(404, 'Column not found');
|
||||
|
||||
const member = column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
|
||||
if (member?.role === 'VIEWER' && !isAdmin) throw error(403, 'Viewers cannot delete columns');
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
|
||||
await prisma.column.delete({ where: { id: params.columnId } });
|
||||
|
||||
return json({ ok: true });
|
||||
};
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { prisma } from '$lib/server/db.js';
|
||||
import { cardSchema } from '$lib/server/validation.js';
|
||||
import { generatePosition } from '$lib/utils/fractional-index.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
|
||||
// Create card in column
|
||||
export const POST: RequestHandler = async ({ params, request, locals }) => {
|
||||
@@ -10,45 +10,47 @@ export const POST: RequestHandler = async ({ params, request, locals }) => {
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const column = await prisma.column.findFirst({
|
||||
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
|
||||
include: { board: { include: { members: true } } }
|
||||
});
|
||||
if (!column) throw error(404, 'Column not found');
|
||||
|
||||
const member = column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot add cards');
|
||||
|
||||
const body = await request.json();
|
||||
const result = cardSchema.safeParse(body);
|
||||
if (!result.success) {
|
||||
return json({ error: result.error.issues[0].message }, { status: 400 });
|
||||
}
|
||||
|
||||
// Get the last card position in this column
|
||||
const lastCard = await prisma.card.findFirst({
|
||||
where: { columnId: params.columnId },
|
||||
orderBy: { position: 'desc' }
|
||||
});
|
||||
const card = await withTenant(tenant.id, async (tx) => {
|
||||
const column = await tx.column.findFirst({
|
||||
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
|
||||
include: { board: { include: { members: true } } }
|
||||
});
|
||||
if (!column) throw error(404, 'Column not found');
|
||||
|
||||
const position = generatePosition(lastCard?.position, null);
|
||||
const member = column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot add cards');
|
||||
|
||||
const card = await prisma.card.create({
|
||||
data: {
|
||||
columnId: params.columnId,
|
||||
title: result.data.title,
|
||||
description: result.data.description,
|
||||
position
|
||||
},
|
||||
include: {
|
||||
assignees: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
// Get the last card position in this column
|
||||
const lastCard = await tx.card.findFirst({
|
||||
where: { columnId: params.columnId },
|
||||
orderBy: { position: 'desc' }
|
||||
});
|
||||
|
||||
const position = generatePosition(lastCard?.position, null);
|
||||
|
||||
return tx.card.create({
|
||||
data: {
|
||||
columnId: params.columnId,
|
||||
title: result.data.title,
|
||||
description: result.data.description,
|
||||
position
|
||||
},
|
||||
labels: { include: { tag: true } },
|
||||
_count: { select: { comments: true, checklists: true, attachments: true } }
|
||||
}
|
||||
include: {
|
||||
assignees: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
},
|
||||
labels: { include: { tag: true } },
|
||||
_count: { select: { comments: true, checklists: true, attachments: true } }
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
return json({ card }, { status: 201 });
|
||||
|
||||
@@ -1,34 +1,36 @@
|
||||
import { json, error } from '@sveltejs/kit';
|
||||
import type { RequestHandler } from './$types.js';
|
||||
import { prisma } from '$lib/server/db.js';
|
||||
import { cardSchema, moveCardSchema } from '$lib/server/validation.js';
|
||||
import { withTenant } from '$lib/server/rls.js';
|
||||
|
||||
// Get single card with full details
|
||||
export const GET: RequestHandler = async ({ params, locals }) => {
|
||||
const tenant = locals.tenant;
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
|
||||
const card = await prisma.card.findFirst({
|
||||
where: {
|
||||
id: params.cardId,
|
||||
column: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } }
|
||||
},
|
||||
include: {
|
||||
assignees: {
|
||||
include: { user: { select: { id: true, name: true, email: true, avatarUrl: true } } }
|
||||
const card = await withTenant(tenant.id, async (tx) => {
|
||||
return tx.card.findFirst({
|
||||
where: {
|
||||
id: params.cardId,
|
||||
column: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } }
|
||||
},
|
||||
labels: { include: { tag: true } },
|
||||
checklists: {
|
||||
orderBy: { position: 'asc' },
|
||||
include: { items: { orderBy: { position: 'asc' } } }
|
||||
},
|
||||
comments: {
|
||||
orderBy: { createdAt: 'desc' },
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
},
|
||||
attachments: { orderBy: { createdAt: 'desc' } },
|
||||
column: { select: { id: true, title: true } }
|
||||
}
|
||||
include: {
|
||||
assignees: {
|
||||
include: { user: { select: { id: true, name: true, email: true, avatarUrl: true } } }
|
||||
},
|
||||
labels: { include: { tag: true } },
|
||||
checklists: {
|
||||
orderBy: { position: 'asc' },
|
||||
include: { items: { orderBy: { position: 'asc' } } }
|
||||
},
|
||||
comments: {
|
||||
orderBy: { createdAt: 'desc' },
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
},
|
||||
attachments: { orderBy: { createdAt: 'desc' } },
|
||||
column: { select: { id: true, title: true } }
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
if (!card) throw error(404, 'Card not found');
|
||||
@@ -42,31 +44,55 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const card = await prisma.card.findFirst({
|
||||
where: {
|
||||
id: params.cardId,
|
||||
column: { board: { id: params.boardId, tenantId: tenant.id } }
|
||||
},
|
||||
include: { column: { include: { board: { include: { members: true } } } } }
|
||||
});
|
||||
if (!card) throw error(404, 'Card not found');
|
||||
|
||||
const member = card.column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit cards');
|
||||
|
||||
const body = await request.json();
|
||||
|
||||
// Handle move (column change + position)
|
||||
if (body.columnId !== undefined || body.position !== undefined) {
|
||||
const data: Record<string, unknown> = {};
|
||||
if (body.columnId) data.columnId = body.columnId;
|
||||
if (body.position) data.position = body.position;
|
||||
const updated = await withTenant(tenant.id, async (tx) => {
|
||||
const card = await tx.card.findFirst({
|
||||
where: {
|
||||
id: params.cardId,
|
||||
column: { board: { id: params.boardId, tenantId: tenant.id } }
|
||||
},
|
||||
include: { column: { include: { board: { include: { members: true } } } } }
|
||||
});
|
||||
if (!card) throw error(404, 'Card not found');
|
||||
|
||||
const updated = await prisma.card.update({
|
||||
const member = card.column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit cards');
|
||||
|
||||
// Handle move (column change + position)
|
||||
if (body.columnId !== undefined || body.position !== undefined) {
|
||||
const data: Record<string, unknown> = {};
|
||||
if (body.columnId) data.columnId = body.columnId;
|
||||
if (body.position) data.position = body.position;
|
||||
|
||||
return tx.card.update({
|
||||
where: { id: params.cardId },
|
||||
data,
|
||||
include: {
|
||||
assignees: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
},
|
||||
labels: { include: { tag: true } },
|
||||
_count: { select: { comments: true, checklists: true, attachments: true } }
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
// Handle content update
|
||||
const result = cardSchema.partial().safeParse(body);
|
||||
if (!result.success) {
|
||||
throw error(400, result.error.issues[0].message);
|
||||
}
|
||||
|
||||
const updateData: Record<string, unknown> = { ...result.data };
|
||||
if (body.dueDate !== undefined) updateData.dueDate = body.dueDate ? new Date(body.dueDate) : null;
|
||||
if (body.archived !== undefined) updateData.archived = body.archived;
|
||||
|
||||
return tx.card.update({
|
||||
where: { id: params.cardId },
|
||||
data,
|
||||
data: updateData,
|
||||
include: {
|
||||
assignees: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
@@ -75,29 +101,6 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
|
||||
_count: { select: { comments: true, checklists: true, attachments: true } }
|
||||
}
|
||||
});
|
||||
return json({ card: updated });
|
||||
}
|
||||
|
||||
// Handle content update
|
||||
const result = cardSchema.partial().safeParse(body);
|
||||
if (!result.success) {
|
||||
return json({ error: result.error.issues[0].message }, { status: 400 });
|
||||
}
|
||||
|
||||
const updateData: Record<string, unknown> = { ...result.data };
|
||||
if (body.dueDate !== undefined) updateData.dueDate = body.dueDate ? new Date(body.dueDate) : null;
|
||||
if (body.archived !== undefined) updateData.archived = body.archived;
|
||||
|
||||
const updated = await prisma.card.update({
|
||||
where: { id: params.cardId },
|
||||
data: updateData,
|
||||
include: {
|
||||
assignees: {
|
||||
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
|
||||
},
|
||||
labels: { include: { tag: true } },
|
||||
_count: { select: { comments: true, checklists: true, attachments: true } }
|
||||
}
|
||||
});
|
||||
|
||||
return json({ card: updated });
|
||||
@@ -109,21 +112,23 @@ export const DELETE: RequestHandler = async ({ params, locals }) => {
|
||||
if (!tenant) throw error(400, 'Unknown tenant');
|
||||
if (!locals.user) throw error(401, 'Not authenticated');
|
||||
|
||||
const card = await prisma.card.findFirst({
|
||||
where: {
|
||||
id: params.cardId,
|
||||
column: { board: { id: params.boardId, tenantId: tenant.id } }
|
||||
},
|
||||
include: { column: { include: { board: { include: { members: true } } } } }
|
||||
await withTenant(tenant.id, async (tx) => {
|
||||
const card = await tx.card.findFirst({
|
||||
where: {
|
||||
id: params.cardId,
|
||||
column: { board: { id: params.boardId, tenantId: tenant.id } }
|
||||
},
|
||||
include: { column: { include: { board: { include: { members: true } } } } }
|
||||
});
|
||||
if (!card) throw error(404, 'Card not found');
|
||||
|
||||
const member = card.column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot delete cards');
|
||||
|
||||
await tx.card.delete({ where: { id: params.cardId } });
|
||||
});
|
||||
if (!card) throw error(404, 'Card not found');
|
||||
|
||||
const member = card.column.board.members.find((m) => m.userId === locals.user!.id);
|
||||
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
|
||||
if (!member && !isAdmin) throw error(403, 'Access denied');
|
||||
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot delete cards');
|
||||
|
||||
await prisma.card.delete({ where: { id: params.cardId } });
|
||||
|
||||
return json({ ok: true });
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user