feat(tier2): multi-host / collaborators — Block C
Events can now have multiple users with distinct roles:
owner — manage collaborators, delete event, full access
editor — manage guests, tokens, CSV import, patch event
viewer — read-only access to everything
Schema (migration 0008)
- collaborator_role ENUM + event_collaborators + collaborator_invites
- Backfill: every existing events.host_id becomes an owner row
- EventRepo.Create seeds the owner row in the same transaction so
no future event can exist without one
Authz
- New requireRole(eventID, userID, minRole) helper. Non-members 404;
insufficient role 403. Replaces requireEventOwner across every
shared-role handler (events.get/update, guests CRUD, tokens issue/
rotate/bulk, csv preview/commit/template, activity, ws-ticket)
- events.delete + collaborator management stay owner-only
- GET /events lists every event the user has any role on
- /events/{id} response now embeds your_role for UI branching
Collaborator endpoints
- GET /events/{id}/collaborators (viewer+)
- POST /events/{id}/collaborators (owner) — sends invite email
- PATCH /events/{id}/collaborators/{user_id} (owner) — role change
- DELETE /events/{id}/collaborators/{user_id} (owner) — refuses last owner
- DELETE /events/{id}/collaborators/pending (owner) — cancel invite
- GET /invites/{token} (public) — preview summary
- POST /invites/{token}/accept (authed) — atomic accept
Invitations
- SHA-256 hashed in DB; raw value only lives in the email link
- 7-day TTL, single-use, email-bound (caller's email must match)
- New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES
senders + log stub; collaborator_invite.html/txt branded template
Frontend
- TeamCard.vue on the event detail page: lists collaborators with
inline role-change + remove, pending-invites with cancel, invite
modal (email + role). Owner-only actions hidden for editors/viewers
- /invites/[token] accept page: shows invite summary, prompts signup
or sign-in with pre-filled email, refuses mismatched accounts
Tests (all 6 pass on the existing testcontainers harness)
- backfill: legacy host gets owner role
- role enforcement: viewer can read, editor can write guests but not
delete/manage team, non-member 404s everywhere
- last-owner removal refused (400)
- shared events show up in collaborator's /events list
- invite flow: create → preview → accept → role granted → replay 410
- email mismatch on accept returns 403
- expired invite returns 410
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kwaku Danso
+12
-3
@@ -5,12 +5,14 @@ import (
|
||||
"log/slog"
|
||||
)
|
||||
|
||||
// EmailSender delivers transactional auth emails (verification, reset).
|
||||
// Block A ships LogSender so dev environments work without Twilio/SES.
|
||||
// Block D replaces this with a real SES-backed sender.
|
||||
// EmailSender delivers transactional auth emails (verification, reset,
|
||||
// collaborator-invite). Block A ships LogSender so dev environments work
|
||||
// without Twilio/SES. Tier 1 Block D replaced this with a real SES-backed
|
||||
// sender; Tier 2 Block C added the collaborator-invite method.
|
||||
type EmailSender interface {
|
||||
SendVerification(ctx context.Context, to, name, link string) error
|
||||
SendPasswordReset(ctx context.Context, to, name, link string) error
|
||||
SendCollaboratorInvite(ctx context.Context, to, inviterName, eventName, role, link string) error
|
||||
}
|
||||
|
||||
type LogEmailSender struct {
|
||||
@@ -30,3 +32,10 @@ func (l LogEmailSender) SendPasswordReset(_ context.Context, to, name, link stri
|
||||
)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (l LogEmailSender) SendCollaboratorInvite(_ context.Context, to, inviterName, eventName, role, link string) error {
|
||||
l.Logger.Info("auth email (stub): collaborator invite",
|
||||
"to", to, "inviter", inviterName, "event", eventName, "role", role, "link", link,
|
||||
)
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user