feat: implement 8 OpenSpec proposals for security, reliability, and UX improvements
## Security Enhancements (P0) - Add input validation with max_length and numeric range constraints - Implement WebSocket token authentication via first message - Add path traversal prevention in file storage service ## Permission Enhancements (P0) - Add project member management for cross-department access - Implement is_department_manager flag for workload visibility ## Cycle Detection (P0) - Add DFS-based cycle detection for task dependencies - Add formula field circular reference detection - Display user-friendly cycle path visualization ## Concurrency & Reliability (P1) - Implement optimistic locking with version field (409 Conflict on mismatch) - Add trigger retry mechanism with exponential backoff (1s, 2s, 4s) - Implement cascade restore for soft-deleted tasks ## Rate Limiting (P1) - Add tiered rate limits: standard (60/min), sensitive (20/min), heavy (5/min) - Apply rate limits to tasks, reports, attachments, and comments ## Frontend Improvements (P1) - Add responsive sidebar with hamburger menu for mobile - Improve touch-friendly UI with proper tap target sizes - Complete i18n translations for all components ## Backend Reliability (P2) - Configure database connection pool (size=10, overflow=20) - Add Redis fallback mechanism with message queue - Add blocker check before task deletion ## API Enhancements (P3) - Add standardized response wrapper utility - Add /health/ready and /health/live endpoints - Implement project templates with status/field copying ## Tests Added - test_input_validation.py - Schema and path traversal tests - test_concurrency_reliability.py - Optimistic locking and retry tests - test_backend_reliability.py - Connection pool and Redis tests - test_api_enhancements.py - Health check and template tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
beabigegg
@@ -4,10 +4,17 @@ from fastapi import APIRouter, Depends, HTTPException, status, Request
|
||||
from sqlalchemy.orm import Session
|
||||
|
||||
from app.core.database import get_db
|
||||
from app.models import User, Space, Project, TaskStatus, AuditAction
|
||||
from app.models import User, Space, Project, TaskStatus, AuditAction, ProjectMember
|
||||
from app.models.task_status import DEFAULT_STATUSES
|
||||
from app.schemas.project import ProjectCreate, ProjectUpdate, ProjectResponse, ProjectWithDetails
|
||||
from app.schemas.task_status import TaskStatusResponse
|
||||
from app.schemas.project_member import (
|
||||
ProjectMemberCreate,
|
||||
ProjectMemberUpdate,
|
||||
ProjectMemberResponse,
|
||||
ProjectMemberWithDetails,
|
||||
ProjectMemberListResponse,
|
||||
)
|
||||
from app.middleware.auth import (
|
||||
get_current_user, check_space_access, check_space_edit_access,
|
||||
check_project_access, check_project_edit_access
|
||||
@@ -336,3 +343,271 @@ async def list_project_statuses(
|
||||
).order_by(TaskStatus.position).all()
|
||||
|
||||
return statuses
|
||||
|
||||
|
||||
# ============================================================================
|
||||
# Project Members API - Cross-Department Collaboration
|
||||
# ============================================================================
|
||||
|
||||
|
||||
@router.get("/api/projects/{project_id}/members", response_model=ProjectMemberListResponse)
|
||||
async def list_project_members(
|
||||
project_id: str,
|
||||
db: Session = Depends(get_db),
|
||||
current_user: User = Depends(get_current_user),
|
||||
):
|
||||
"""
|
||||
List all members of a project.
|
||||
|
||||
Only users with project access can view the member list.
|
||||
"""
|
||||
project = db.query(Project).filter(Project.id == project_id, Project.is_active == True).first()
|
||||
|
||||
if not project:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND,
|
||||
detail="Project not found",
|
||||
)
|
||||
|
||||
if not check_project_access(current_user, project):
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail="Access denied",
|
||||
)
|
||||
|
||||
members = db.query(ProjectMember).filter(
|
||||
ProjectMember.project_id == project_id
|
||||
).all()
|
||||
|
||||
member_list = []
|
||||
for member in members:
|
||||
user = db.query(User).filter(User.id == member.user_id).first()
|
||||
added_by_user = db.query(User).filter(User.id == member.added_by).first()
|
||||
|
||||
member_list.append(ProjectMemberWithDetails(
|
||||
id=member.id,
|
||||
project_id=member.project_id,
|
||||
user_id=member.user_id,
|
||||
role=member.role,
|
||||
added_by=member.added_by,
|
||||
created_at=member.created_at,
|
||||
user_name=user.name if user else None,
|
||||
user_email=user.email if user else None,
|
||||
user_department_id=user.department_id if user else None,
|
||||
user_department_name=user.department.name if user and user.department else None,
|
||||
added_by_name=added_by_user.name if added_by_user else None,
|
||||
))
|
||||
|
||||
return ProjectMemberListResponse(
|
||||
members=member_list,
|
||||
total=len(member_list),
|
||||
)
|
||||
|
||||
|
||||
@router.post("/api/projects/{project_id}/members", response_model=ProjectMemberResponse, status_code=status.HTTP_201_CREATED)
|
||||
async def add_project_member(
|
||||
project_id: str,
|
||||
member_data: ProjectMemberCreate,
|
||||
request: Request,
|
||||
db: Session = Depends(get_db),
|
||||
current_user: User = Depends(get_current_user),
|
||||
):
|
||||
"""
|
||||
Add a user as a project member for cross-department collaboration.
|
||||
|
||||
Only project owners and members with 'admin' role can add new members.
|
||||
"""
|
||||
project = db.query(Project).filter(Project.id == project_id, Project.is_active == True).first()
|
||||
|
||||
if not project:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND,
|
||||
detail="Project not found",
|
||||
)
|
||||
|
||||
# Check if user has permission to add members (owner or admin member)
|
||||
if not check_project_edit_access(current_user, project):
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail="Only project owner or admin members can add new members",
|
||||
)
|
||||
|
||||
# Check if user exists
|
||||
user_to_add = db.query(User).filter(User.id == member_data.user_id, User.is_active == True).first()
|
||||
if not user_to_add:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND,
|
||||
detail="User not found",
|
||||
)
|
||||
|
||||
# Check if user is already a member
|
||||
existing_member = db.query(ProjectMember).filter(
|
||||
ProjectMember.project_id == project_id,
|
||||
ProjectMember.user_id == member_data.user_id,
|
||||
).first()
|
||||
|
||||
if existing_member:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_409_CONFLICT,
|
||||
detail="User is already a member of this project",
|
||||
)
|
||||
|
||||
# Don't add the owner as a member (they already have access)
|
||||
if member_data.user_id == project.owner_id:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_400_BAD_REQUEST,
|
||||
detail="Project owner cannot be added as a member",
|
||||
)
|
||||
|
||||
# Create the membership
|
||||
member = ProjectMember(
|
||||
id=str(uuid.uuid4()),
|
||||
project_id=project_id,
|
||||
user_id=member_data.user_id,
|
||||
role=member_data.role.value,
|
||||
added_by=current_user.id,
|
||||
)
|
||||
|
||||
db.add(member)
|
||||
|
||||
# Audit log
|
||||
AuditService.log_event(
|
||||
db=db,
|
||||
event_type="project_member.add",
|
||||
resource_type="project_member",
|
||||
action=AuditAction.CREATE,
|
||||
user_id=current_user.id,
|
||||
resource_id=member.id,
|
||||
changes=[
|
||||
{"field": "user_id", "old_value": None, "new_value": member_data.user_id},
|
||||
{"field": "role", "old_value": None, "new_value": member_data.role.value},
|
||||
],
|
||||
request_metadata=get_audit_metadata(request),
|
||||
)
|
||||
|
||||
db.commit()
|
||||
db.refresh(member)
|
||||
|
||||
return member
|
||||
|
||||
|
||||
@router.patch("/api/projects/{project_id}/members/{member_id}", response_model=ProjectMemberResponse)
|
||||
async def update_project_member(
|
||||
project_id: str,
|
||||
member_id: str,
|
||||
member_data: ProjectMemberUpdate,
|
||||
request: Request,
|
||||
db: Session = Depends(get_db),
|
||||
current_user: User = Depends(get_current_user),
|
||||
):
|
||||
"""
|
||||
Update a project member's role.
|
||||
|
||||
Only project owners and members with 'admin' role can update member roles.
|
||||
"""
|
||||
project = db.query(Project).filter(Project.id == project_id, Project.is_active == True).first()
|
||||
|
||||
if not project:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND,
|
||||
detail="Project not found",
|
||||
)
|
||||
|
||||
if not check_project_edit_access(current_user, project):
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail="Only project owner or admin members can update member roles",
|
||||
)
|
||||
|
||||
member = db.query(ProjectMember).filter(
|
||||
ProjectMember.id == member_id,
|
||||
ProjectMember.project_id == project_id,
|
||||
).first()
|
||||
|
||||
if not member:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND,
|
||||
detail="Member not found",
|
||||
)
|
||||
|
||||
old_role = member.role
|
||||
member.role = member_data.role.value
|
||||
|
||||
# Audit log
|
||||
AuditService.log_event(
|
||||
db=db,
|
||||
event_type="project_member.update",
|
||||
resource_type="project_member",
|
||||
action=AuditAction.UPDATE,
|
||||
user_id=current_user.id,
|
||||
resource_id=member.id,
|
||||
changes=[{"field": "role", "old_value": old_role, "new_value": member_data.role.value}],
|
||||
request_metadata=get_audit_metadata(request),
|
||||
)
|
||||
|
||||
db.commit()
|
||||
db.refresh(member)
|
||||
|
||||
return member
|
||||
|
||||
|
||||
@router.delete("/api/projects/{project_id}/members/{member_id}", status_code=status.HTTP_204_NO_CONTENT)
|
||||
async def remove_project_member(
|
||||
project_id: str,
|
||||
member_id: str,
|
||||
request: Request,
|
||||
db: Session = Depends(get_db),
|
||||
current_user: User = Depends(get_current_user),
|
||||
):
|
||||
"""
|
||||
Remove a member from a project.
|
||||
|
||||
Only project owners and members with 'admin' role can remove members.
|
||||
Members can also remove themselves from a project.
|
||||
"""
|
||||
project = db.query(Project).filter(Project.id == project_id, Project.is_active == True).first()
|
||||
|
||||
if not project:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND,
|
||||
detail="Project not found",
|
||||
)
|
||||
|
||||
member = db.query(ProjectMember).filter(
|
||||
ProjectMember.id == member_id,
|
||||
ProjectMember.project_id == project_id,
|
||||
).first()
|
||||
|
||||
if not member:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND,
|
||||
detail="Member not found",
|
||||
)
|
||||
|
||||
# Allow self-removal or admin access
|
||||
is_self_removal = member.user_id == current_user.id
|
||||
if not is_self_removal and not check_project_edit_access(current_user, project):
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail="Only project owner, admin members, or the member themselves can remove membership",
|
||||
)
|
||||
|
||||
# Audit log
|
||||
AuditService.log_event(
|
||||
db=db,
|
||||
event_type="project_member.remove",
|
||||
resource_type="project_member",
|
||||
action=AuditAction.DELETE,
|
||||
user_id=current_user.id,
|
||||
resource_id=member.id,
|
||||
changes=[
|
||||
{"field": "user_id", "old_value": member.user_id, "new_value": None},
|
||||
{"field": "role", "old_value": member.role, "new_value": None},
|
||||
],
|
||||
request_metadata=get_audit_metadata(request),
|
||||
)
|
||||
|
||||
db.delete(member)
|
||||
db.commit()
|
||||
|
||||
return None
|
||||
|
||||
Reference in New Issue
Block a user