feat(tier2): multi-host / collaborators — Block C
Events can now have multiple users with distinct roles:
owner — manage collaborators, delete event, full access
editor — manage guests, tokens, CSV import, patch event
viewer — read-only access to everything
Schema (migration 0008)
- collaborator_role ENUM + event_collaborators + collaborator_invites
- Backfill: every existing events.host_id becomes an owner row
- EventRepo.Create seeds the owner row in the same transaction so
no future event can exist without one
Authz
- New requireRole(eventID, userID, minRole) helper. Non-members 404;
insufficient role 403. Replaces requireEventOwner across every
shared-role handler (events.get/update, guests CRUD, tokens issue/
rotate/bulk, csv preview/commit/template, activity, ws-ticket)
- events.delete + collaborator management stay owner-only
- GET /events lists every event the user has any role on
- /events/{id} response now embeds your_role for UI branching
Collaborator endpoints
- GET /events/{id}/collaborators (viewer+)
- POST /events/{id}/collaborators (owner) — sends invite email
- PATCH /events/{id}/collaborators/{user_id} (owner) — role change
- DELETE /events/{id}/collaborators/{user_id} (owner) — refuses last owner
- DELETE /events/{id}/collaborators/pending (owner) — cancel invite
- GET /invites/{token} (public) — preview summary
- POST /invites/{token}/accept (authed) — atomic accept
Invitations
- SHA-256 hashed in DB; raw value only lives in the email link
- 7-day TTL, single-use, email-bound (caller's email must match)
- New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES
senders + log stub; collaborator_invite.html/txt branded template
Frontend
- TeamCard.vue on the event detail page: lists collaborators with
inline role-change + remove, pending-invites with cancel, invite
modal (email + role). Owner-only actions hidden for editors/viewers
- /invites/[token] accept page: shows invite summary, prompts signup
or sign-in with pre-filled email, refuses mismatched accounts
Tests (all 6 pass on the existing testcontainers harness)
- backfill: legacy host gets owner role
- role enforcement: viewer can read, editor can write guests but not
delete/manage team, non-member 404s everywhere
- last-owner removal refused (400)
- shared events show up in collaborator's /events list
- invite flow: create → preview → accept → role granted → replay 410
- email mismatch on accept returns 403
- expired invite returns 410
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kwaku Danso
@@ -25,6 +25,11 @@ func hostFromContext(w http.ResponseWriter, r *http.Request) (uuid.UUID, bool) {
|
||||
// On mismatch (or missing event) it returns 404 — never 403 — so a cross-
|
||||
// tenant probe cannot tell the difference between "event doesn't exist" and
|
||||
// "exists but belongs to someone else".
|
||||
//
|
||||
// Pre-Block-C this checked the events.host_id column directly. Block C
|
||||
// preserves the same semantics for the owner-only handlers (events.Update,
|
||||
// events.Delete, collaborator management) — but for shared-role endpoints,
|
||||
// callers should use requireRole instead.
|
||||
func requireEventOwner(
|
||||
w http.ResponseWriter,
|
||||
r *http.Request,
|
||||
@@ -42,3 +47,47 @@ func requireEventOwner(
|
||||
}
|
||||
return ev, true
|
||||
}
|
||||
|
||||
// requireRole is the Block C authz gate. It resolves the user's role on the
|
||||
// event and confirms it's at least `min`. Missing role → 404 (avoids leaking
|
||||
// existence to outsiders). Role-too-low → 403 (the user IS on the event,
|
||||
// just not privileged enough — that's safe to surface; the UI will hide the
|
||||
// action anyway).
|
||||
//
|
||||
// On success it returns the event and the user's role so the handler can
|
||||
// branch on owner-only behaviours without a second lookup.
|
||||
func requireRole(
|
||||
w http.ResponseWriter,
|
||||
r *http.Request,
|
||||
events *storage.EventRepo,
|
||||
collabs *storage.CollaboratorRepo,
|
||||
eventID, userID uuid.UUID,
|
||||
min domain.Role,
|
||||
) (*domain.Event, domain.Role, bool) {
|
||||
role, ok, err := collabs.RoleFor(r.Context(), eventID, userID)
|
||||
if err != nil {
|
||||
writeError(w, http.StatusInternalServerError, "failed to resolve role")
|
||||
return nil, "", false
|
||||
}
|
||||
if !ok {
|
||||
// Not a collaborator. Treat the same way the legacy host_id check
|
||||
// did: 404, no leak.
|
||||
writeError(w, http.StatusNotFound, "event not found")
|
||||
return nil, "", false
|
||||
}
|
||||
if !role.AtLeast(min) {
|
||||
writeError(w, http.StatusForbidden, "insufficient role for this action")
|
||||
return nil, "", false
|
||||
}
|
||||
ev, err := events.Get(r.Context(), eventID)
|
||||
if err != nil {
|
||||
if errors.Is(err, domain.ErrEventNotFound) {
|
||||
// Race: the event was deleted between the role lookup and now.
|
||||
writeError(w, http.StatusNotFound, "event not found")
|
||||
return nil, "", false
|
||||
}
|
||||
writeError(w, http.StatusInternalServerError, "failed to load event")
|
||||
return nil, "", false
|
||||
}
|
||||
return ev, role, true
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user