guestguard

alchemistkay/guestguard

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kwaku Danso	3973e4058d	feat(tier2): multi-host / collaborators — Block C Events can now have multiple users with distinct roles: owner — manage collaborators, delete event, full access editor — manage guests, tokens, CSV import, patch event viewer — read-only access to everything Schema (migration 0008) - collaborator_role ENUM + event_collaborators + collaborator_invites - Backfill: every existing events.host_id becomes an owner row - EventRepo.Create seeds the owner row in the same transaction so no future event can exist without one Authz - New requireRole(eventID, userID, minRole) helper. Non-members 404; insufficient role 403. Replaces requireEventOwner across every shared-role handler (events.get/update, guests CRUD, tokens issue/ rotate/bulk, csv preview/commit/template, activity, ws-ticket) - events.delete + collaborator management stay owner-only - GET /events lists every event the user has any role on - /events/{id} response now embeds your_role for UI branching Collaborator endpoints - GET /events/{id}/collaborators (viewer+) - POST /events/{id}/collaborators (owner) — sends invite email - PATCH /events/{id}/collaborators/{user_id} (owner) — role change - DELETE /events/{id}/collaborators/{user_id} (owner) — refuses last owner - DELETE /events/{id}/collaborators/pending (owner) — cancel invite - GET /invites/{token} (public) — preview summary - POST /invites/{token}/accept (authed) — atomic accept Invitations - SHA-256 hashed in DB; raw value only lives in the email link - 7-day TTL, single-use, email-bound (caller's email must match) - New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES senders + log stub; collaborator_invite.html/txt branded template Frontend - TeamCard.vue on the event detail page: lists collaborators with inline role-change + remove, pending-invites with cancel, invite modal (email + role). Owner-only actions hidden for editors/viewers - /invites/[token] accept page: shows invite summary, prompts signup or sign-in with pre-filled email, refuses mismatched accounts Tests (all 6 pass on the existing testcontainers harness) - backfill: legacy host gets owner role - role enforcement: viewer can read, editor can write guests but not delete/manage team, non-member 404s everywhere - last-owner removal refused (400) - shared events show up in collaborator's /events list - invite flow: create → preview → accept → role granted → replay 410 - email mismatch on accept returns 403 - expired invite returns 410 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 22:14:50 +01:00

Author

SHA1

Message

Date

Kwaku Danso

3973e4058d

feat(tier2): multi-host / collaborators — Block C

Events can now have multiple users with distinct roles:
  owner   — manage collaborators, delete event, full access
  editor  — manage guests, tokens, CSV import, patch event
  viewer  — read-only access to everything

Schema (migration 0008)
- collaborator_role ENUM + event_collaborators + collaborator_invites
- Backfill: every existing events.host_id becomes an owner row
- EventRepo.Create seeds the owner row in the same transaction so
  no future event can exist without one

Authz
- New requireRole(eventID, userID, minRole) helper. Non-members 404;
  insufficient role 403. Replaces requireEventOwner across every
  shared-role handler (events.get/update, guests CRUD, tokens issue/
  rotate/bulk, csv preview/commit/template, activity, ws-ticket)
- events.delete + collaborator management stay owner-only
- GET /events lists every event the user has any role on
- /events/{id} response now embeds your_role for UI branching

Collaborator endpoints
- GET    /events/{id}/collaborators           (viewer+)
- POST   /events/{id}/collaborators           (owner)  — sends invite email
- PATCH  /events/{id}/collaborators/{user_id} (owner)  — role change
- DELETE /events/{id}/collaborators/{user_id} (owner)  — refuses last owner
- DELETE /events/{id}/collaborators/pending   (owner)  — cancel invite
- GET    /invites/{token}                     (public) — preview summary
- POST   /invites/{token}/accept              (authed) — atomic accept

Invitations
- SHA-256 hashed in DB; raw value only lives in the email link
- 7-day TTL, single-use, email-bound (caller's email must match)
- New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES
  senders + log stub; collaborator_invite.html/txt branded template

Frontend
- TeamCard.vue on the event detail page: lists collaborators with
  inline role-change + remove, pending-invites with cancel, invite
  modal (email + role). Owner-only actions hidden for editors/viewers
- /invites/[token] accept page: shows invite summary, prompts signup
  or sign-in with pre-filled email, refuses mismatched accounts

Tests (all 6 pass on the existing testcontainers harness)
- backfill: legacy host gets owner role
- role enforcement: viewer can read, editor can write guests but not
  delete/manage team, non-member 404s everywhere
- last-owner removal refused (400)
- shared events show up in collaborator's /events list
- invite flow: create → preview → accept → role granted → replay 410
- email mismatch on accept returns 403
- expired invite returns 410

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-17 22:14:50 +01:00

1 Commits