feat(tier2): multi-host / collaborators — Block C

Events can now have multiple users with distinct roles: owner — manage collaborators, delete event, full access editor — manage guests, tokens, CSV import, patch event viewer — read-only access to everything Schema (migration 0008) - collaborator_role ENUM + event_collaborators + collaborator_invites - Backfill: every existing events.host_id becomes an owner row - EventRepo.Create seeds the owner row in the same transaction so no future event can exist without one Authz - New requireRole(eventID, userID, minRole) helper. Non-members 404; insufficient role 403. Replaces requireEventOwner across every shared-role handler (events.get/update, guests CRUD, tokens issue/ rotate/bulk, csv preview/commit/template, activity, ws-ticket) - events.delete + collaborator management stay owner-only - GET /events lists every event the user has any role on - /events/{id} response now embeds your_role for UI branching Collaborator endpoints - GET /events/{id}/collaborators (viewer+) - POST /events/{id}/collaborators (owner) — sends invite email - PATCH /events/{id}/collaborators/{user_id} (owner) — role change - DELETE /events/{id}/collaborators/{user_id} (owner) — refuses last owner - DELETE /events/{id}/collaborators/pending (owner) — cancel invite - GET /invites/{token} (public) — preview summary - POST /invites/{token}/accept (authed) — atomic accept Invitations - SHA-256 hashed in DB; raw value only lives in the email link - 7-day TTL, single-use, email-bound (caller's email must match) - New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES senders + log stub; collaborator_invite.html/txt branded template Frontend - TeamCard.vue on the event detail page: lists collaborators with inline role-change + remove, pending-invites with cancel, invite modal (email + role). Owner-only actions hidden for editors/viewers - /invites/[token] accept page: shows invite summary, prompts signup or sign-in with pre-filled email, refuses mismatched accounts Tests (all 6 pass on the existing testcontainers harness) - backfill: legacy host gets owner role - role enforcement: viewer can read, editor can write guests but not delete/manage team, non-member 404s everywhere - last-owner removal refused (400) - shared events show up in collaborator's /events list - invite flow: create → preview → accept → role granted → replay 410 - email mismatch on accept returns 403 - expired invite returns 410 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 22:14:50 +01:00
parent 6803d700b4
commit 3973e4058d
28 changed files with 2108 additions and 32 deletions
@@ -0,0 +1,7 @@
+DROP INDEX IF EXISTS idx_collab_invites_event;
+DROP TABLE IF EXISTS collaborator_invites;
+
+DROP INDEX IF EXISTS idx_collaborators_user;
+DROP TABLE IF EXISTS event_collaborators;
+
+DROP TYPE IF EXISTS collaborator_role;
@@ -0,0 +1,65 @@
+-- Tier 2 Block C — multi-host / collaborators.
+--
+-- An event can now have multiple users with one of three roles:
+--   owner   — full access incl. delete + manage collaborators
+--   editor  — guests/tokens/branding/messages/analytics
+--   viewer  — read-only
+--
+-- The existing events.host_id stays as a denormalised "primary owner"
+-- pointer (cheap join key, useful for the existing GET /events query). The
+-- source of truth for authz is event_collaborators — every handler resolves
+-- the caller's role through it.
+--
+-- Schema #0005 in TIER2_PLAN.md; landing at 0008 because earlier slots are
+-- taken by Tier 1 work.
+
+DO $$ BEGIN
+    CREATE TYPE collaborator_role AS ENUM ('owner', 'editor', 'viewer');
+EXCEPTION WHEN duplicate_object THEN NULL; END $$;
+
+CREATE TABLE IF NOT EXISTS event_collaborators (
+    event_id     UUID NOT NULL REFERENCES events(id) ON DELETE CASCADE,
+    user_id      UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    role         collaborator_role NOT NULL,
+    invited_by   UUID REFERENCES users(id) ON DELETE SET NULL,
+    invited_at   TIMESTAMPTZ NOT NULL DEFAULT now(),
+    accepted_at  TIMESTAMPTZ,
+    PRIMARY KEY (event_id, user_id)
+);
+
+-- Fast lookup of "what events does this user have any role on" — used by
+-- the dashboard list and the role-resolution middleware.
+CREATE INDEX IF NOT EXISTS idx_collaborators_user
+    ON event_collaborators(user_id);
+
+-- Pending invitations. The invitee may not have a GuestGuard account yet;
+-- the accept flow creates one (or links to an existing one by email) and
+-- promotes the row into event_collaborators.
+--
+-- token_hash is sha256(raw); the raw token only ever lives in the email
+-- link, never in the DB. consumed_at is set on successful accept so re-
+-- using the link returns 410 Gone instead of silently re-adding the user.
+CREATE TABLE IF NOT EXISTS collaborator_invites (
+    token_hash   TEXT PRIMARY KEY,
+    event_id     UUID NOT NULL REFERENCES events(id) ON DELETE CASCADE,
+    email        TEXT NOT NULL,
+    role         collaborator_role NOT NULL,
+    invited_by   UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    expires_at   TIMESTAMPTZ NOT NULL,
+    consumed_at  TIMESTAMPTZ,
+    created_at   TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+-- Find pending invites for an event quickly (the "Team" tab lists them).
+-- Partial index keeps the working set small even on a busy event.
+CREATE INDEX IF NOT EXISTS idx_collab_invites_event
+    ON collaborator_invites(event_id)
+    WHERE consumed_at IS NULL;
+
+-- Backfill: every existing event's host becomes its owner. Idempotent so
+-- re-running this migration after a partial failure (or against a freshly
+-- restored backup that already has rows) does the right thing.
+INSERT INTO event_collaborators (event_id, user_id, role, accepted_at, invited_at)
+SELECT id, host_id, 'owner', created_at, created_at
+FROM events
+ON CONFLICT (event_id, user_id) DO NOTHING;