alchemistkay/guestguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e5b187c57549782eb6f9407f030fa12bf6b79c98
guestguard/internal/storage/migrations/0008_collaborators.up.sql
T
Kwaku Danso 3973e4058d feat(tier2): multi-host / collaborators — Block C 
Events can now have multiple users with distinct roles:
  owner   — manage collaborators, delete event, full access
  editor  — manage guests, tokens, CSV import, patch event
  viewer  — read-only access to everything

Schema (migration 0008)
- collaborator_role ENUM + event_collaborators + collaborator_invites
- Backfill: every existing events.host_id becomes an owner row
- EventRepo.Create seeds the owner row in the same transaction so
  no future event can exist without one

Authz
- New requireRole(eventID, userID, minRole) helper. Non-members 404;
  insufficient role 403. Replaces requireEventOwner across every
  shared-role handler (events.get/update, guests CRUD, tokens issue/
  rotate/bulk, csv preview/commit/template, activity, ws-ticket)
- events.delete + collaborator management stay owner-only
- GET /events lists every event the user has any role on
- /events/{id} response now embeds your_role for UI branching

Collaborator endpoints
- GET    /events/{id}/collaborators           (viewer+)
- POST   /events/{id}/collaborators           (owner)  — sends invite email
- PATCH  /events/{id}/collaborators/{user_id} (owner)  — role change
- DELETE /events/{id}/collaborators/{user_id} (owner)  — refuses last owner
- DELETE /events/{id}/collaborators/pending   (owner)  — cancel invite
- GET    /invites/{token}                     (public) — preview summary
- POST   /invites/{token}/accept              (authed) — atomic accept

Invitations
- SHA-256 hashed in DB; raw value only lives in the email link
- 7-day TTL, single-use, email-bound (caller's email must match)
- New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES
  senders + log stub; collaborator_invite.html/txt branded template

Frontend
- TeamCard.vue on the event detail page: lists collaborators with
  inline role-change + remove, pending-invites with cancel, invite
  modal (email + role). Owner-only actions hidden for editors/viewers
- /invites/[token] accept page: shows invite summary, prompts signup
  or sign-in with pre-filled email, refuses mismatched accounts

Tests (all 6 pass on the existing testcontainers harness)
- backfill: legacy host gets owner role
- role enforcement: viewer can read, editor can write guests but not
  delete/manage team, non-member 404s everywhere
- last-owner removal refused (400)
- shared events show up in collaborator's /events list
- invite flow: create → preview → accept → role granted → replay 410
- email mismatch on accept returns 403
- expired invite returns 410

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 22:14:50 +01:00

66 lines
2.9 KiB
SQL
Raw Blame History

-- Tier 2 Block C — multi-host / collaborators.
--
-- An event can now have multiple users with one of three roles:
-- owner — full access incl. delete + manage collaborators
-- editor — guests/tokens/branding/messages/analytics
-- viewer — read-only
--
-- The existing events.host_id stays as a denormalised "primary owner"
-- pointer (cheap join key, useful for the existing GET /events query). The
-- source of truth for authz is event_collaborators — every handler resolves
-- the caller's role through it.
--
-- Schema #0005 in TIER2_PLAN.md; landing at 0008 because earlier slots are
-- taken by Tier 1 work.
DO $$ BEGIN
CREATE TYPE collaborator_role AS ENUM ('owner', 'editor', 'viewer');
EXCEPTION WHEN duplicate_object THEN NULL; END $$;
CREATE TABLE IF NOT EXISTS event_collaborators (
event_id UUID NOT NULL REFERENCES events(id) ON DELETE CASCADE,
user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
role collaborator_role NOT NULL,
invited_by UUID REFERENCES users(id) ON DELETE SET NULL,
invited_at TIMESTAMPTZ NOT NULL DEFAULT now(),
accepted_at TIMESTAMPTZ,
PRIMARY KEY (event_id, user_id)
);
-- Fast lookup of "what events does this user have any role on" — used by
-- the dashboard list and the role-resolution middleware.
CREATE INDEX IF NOT EXISTS idx_collaborators_user
ON event_collaborators(user_id);
-- Pending invitations. The invitee may not have a GuestGuard account yet;
-- the accept flow creates one (or links to an existing one by email) and
-- promotes the row into event_collaborators.
--
-- token_hash is sha256(raw); the raw token only ever lives in the email
-- link, never in the DB. consumed_at is set on successful accept so re-
-- using the link returns 410 Gone instead of silently re-adding the user.
CREATE TABLE IF NOT EXISTS collaborator_invites (
token_hash TEXT PRIMARY KEY,
event_id UUID NOT NULL REFERENCES events(id) ON DELETE CASCADE,
email TEXT NOT NULL,
role collaborator_role NOT NULL,
invited_by UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
expires_at TIMESTAMPTZ NOT NULL,
consumed_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
-- Find pending invites for an event quickly (the "Team" tab lists them).
-- Partial index keeps the working set small even on a busy event.
CREATE INDEX IF NOT EXISTS idx_collab_invites_event
ON collaborator_invites(event_id)
WHERE consumed_at IS NULL;
-- Backfill: every existing event's host becomes its owner. Idempotent so
-- re-running this migration after a partial failure (or against a freshly
-- restored backup that already has rows) does the right thing.
INSERT INTO event_collaborators (event_id, user_id, role, accepted_at, invited_at)
SELECT id, host_id, 'owner', created_at, created_at
FROM events
ON CONFLICT (event_id, user_id) DO NOTHING;
Reference in New Issue View Git Blame Copy Permalink