Kwaku Danso
3973e4058d
Events can now have multiple users with distinct roles:
owner — manage collaborators, delete event, full access
editor — manage guests, tokens, CSV import, patch event
viewer — read-only access to everything
Schema (migration 0008)
- collaborator_role ENUM + event_collaborators + collaborator_invites
- Backfill: every existing events.host_id becomes an owner row
- EventRepo.Create seeds the owner row in the same transaction so
no future event can exist without one
Authz
- New requireRole(eventID, userID, minRole) helper. Non-members 404;
insufficient role 403. Replaces requireEventOwner across every
shared-role handler (events.get/update, guests CRUD, tokens issue/
rotate/bulk, csv preview/commit/template, activity, ws-ticket)
- events.delete + collaborator management stay owner-only
- GET /events lists every event the user has any role on
- /events/{id} response now embeds your_role for UI branching
Collaborator endpoints
- GET /events/{id}/collaborators (viewer+)
- POST /events/{id}/collaborators (owner) — sends invite email
- PATCH /events/{id}/collaborators/{user_id} (owner) — role change
- DELETE /events/{id}/collaborators/{user_id} (owner) — refuses last owner
- DELETE /events/{id}/collaborators/pending (owner) — cancel invite
- GET /invites/{token} (public) — preview summary
- POST /invites/{token}/accept (authed) — atomic accept
Invitations
- SHA-256 hashed in DB; raw value only lives in the email link
- 7-day TTL, single-use, email-bound (caller's email must match)
- New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES
senders + log stub; collaborator_invite.html/txt branded template
Frontend
- TeamCard.vue on the event detail page: lists collaborators with
inline role-change + remove, pending-invites with cancel, invite
modal (email + role). Owner-only actions hidden for editors/viewers
- /invites/[token] accept page: shows invite summary, prompts signup
or sign-in with pre-filled email, refuses mismatched accounts
Tests (all 6 pass on the existing testcontainers harness)
- backfill: legacy host gets owner role
- role enforcement: viewer can read, editor can write guests but not
delete/manage team, non-member 404s everywhere
- last-owner removal refused (400)
- shared events show up in collaborator's /events list
- invite flow: create → preview → accept → role granted → replay 410
- email mismatch on accept returns 403
- expired invite returns 410
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
94 lines
3.1 KiB
Go
94 lines
3.1 KiB
Go
package api
|
|
|
|
import (
|
|
"errors"
|
|
"net/http"
|
|
|
|
"github.com/google/uuid"
|
|
|
|
"github.com/alchemistkay/guestguard/internal/domain"
|
|
"github.com/alchemistkay/guestguard/internal/storage"
|
|
)
|
|
|
|
// hostFromContext returns the authed user's id, or writes 401 and returns
|
|
// false. Used by host-facing handlers as the first line in the function.
|
|
func hostFromContext(w http.ResponseWriter, r *http.Request) (uuid.UUID, bool) {
|
|
uid, ok := UserIDFromContext(r.Context())
|
|
if !ok {
|
|
writeError(w, http.StatusUnauthorized, "unauthenticated")
|
|
return uuid.Nil, false
|
|
}
|
|
return uid, true
|
|
}
|
|
|
|
// requireEventOwner fetches the event and confirms the authed user owns it.
|
|
// On mismatch (or missing event) it returns 404 — never 403 — so a cross-
|
|
// tenant probe cannot tell the difference between "event doesn't exist" and
|
|
// "exists but belongs to someone else".
|
|
//
|
|
// Pre-Block-C this checked the events.host_id column directly. Block C
|
|
// preserves the same semantics for the owner-only handlers (events.Update,
|
|
// events.Delete, collaborator management) — but for shared-role endpoints,
|
|
// callers should use requireRole instead.
|
|
func requireEventOwner(
|
|
w http.ResponseWriter,
|
|
r *http.Request,
|
|
events *storage.EventRepo,
|
|
eventID, hostID uuid.UUID,
|
|
) (*domain.Event, bool) {
|
|
ev, err := events.GetForHost(r.Context(), eventID, hostID)
|
|
if err != nil {
|
|
if errors.Is(err, domain.ErrEventNotFound) {
|
|
writeError(w, http.StatusNotFound, "event not found")
|
|
return nil, false
|
|
}
|
|
writeError(w, http.StatusInternalServerError, "failed to load event")
|
|
return nil, false
|
|
}
|
|
return ev, true
|
|
}
|
|
|
|
// requireRole is the Block C authz gate. It resolves the user's role on the
|
|
// event and confirms it's at least `min`. Missing role → 404 (avoids leaking
|
|
// existence to outsiders). Role-too-low → 403 (the user IS on the event,
|
|
// just not privileged enough — that's safe to surface; the UI will hide the
|
|
// action anyway).
|
|
//
|
|
// On success it returns the event and the user's role so the handler can
|
|
// branch on owner-only behaviours without a second lookup.
|
|
func requireRole(
|
|
w http.ResponseWriter,
|
|
r *http.Request,
|
|
events *storage.EventRepo,
|
|
collabs *storage.CollaboratorRepo,
|
|
eventID, userID uuid.UUID,
|
|
min domain.Role,
|
|
) (*domain.Event, domain.Role, bool) {
|
|
role, ok, err := collabs.RoleFor(r.Context(), eventID, userID)
|
|
if err != nil {
|
|
writeError(w, http.StatusInternalServerError, "failed to resolve role")
|
|
return nil, "", false
|
|
}
|
|
if !ok {
|
|
// Not a collaborator. Treat the same way the legacy host_id check
|
|
// did: 404, no leak.
|
|
writeError(w, http.StatusNotFound, "event not found")
|
|
return nil, "", false
|
|
}
|
|
if !role.AtLeast(min) {
|
|
writeError(w, http.StatusForbidden, "insufficient role for this action")
|
|
return nil, "", false
|
|
}
|
|
ev, err := events.Get(r.Context(), eventID)
|
|
if err != nil {
|
|
if errors.Is(err, domain.ErrEventNotFound) {
|
|
// Race: the event was deleted between the role lookup and now.
|
|
writeError(w, http.StatusNotFound, "event not found")
|
|
return nil, "", false
|
|
}
|
|
writeError(w, http.StatusInternalServerError, "failed to load event")
|
|
return nil, "", false
|
|
}
|
|
return ev, role, true
|
|
}
|