feat: implement 8 OpenSpec proposals for security, reliability, and UX improvements

## Security Enhancements (P0) - Add input validation with max_length and numeric range constraints - Implement WebSocket token authentication via first message - Add path traversal prevention in file storage service ## Permission Enhancements (P0) - Add project member management for cross-department access - Implement is_department_manager flag for workload visibility ## Cycle Detection (P0) - Add DFS-based cycle detection for task dependencies - Add formula field circular reference detection - Display user-friendly cycle path visualization ## Concurrency & Reliability (P1) - Implement optimistic locking with version field (409 Conflict on mismatch) - Add trigger retry mechanism with exponential backoff (1s, 2s, 4s) - Implement cascade restore for soft-deleted tasks ## Rate Limiting (P1) - Add tiered rate limits: standard (60/min), sensitive (20/min), heavy (5/min) - Apply rate limits to tasks, reports, attachments, and comments ## Frontend Improvements (P1) - Add responsive sidebar with hamburger menu for mobile - Improve touch-friendly UI with proper tap target sizes - Complete i18n translations for all components ## Backend Reliability (P2) - Configure database connection pool (size=10, overflow=20) - Add Redis fallback mechanism with message queue - Add blocker check before task deletion ## API Enhancements (P3) - Add standardized response wrapper utility - Add /health/ready and /health/live endpoints - Implement project templates with status/field copying ## Tests Added - test_input_validation.py - Schema and path traversal tests - test_concurrency_reliability.py - Optimistic locking and retry tests - test_backend_reliability.py - Connection pool and Redis tests - test_api_enhancements.py - Health check and template tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-10 22:13:43 +08:00
parent 96210c7ad4
commit 3bdc6ff1c9
106 changed files with 9704 additions and 429 deletions
--- a/backend/app/middleware/auth.py
+++ b/backend/app/middleware/auth.py
@@ -207,12 +207,16 @@ def check_space_edit_access(user: User, space) -> bool:

 def check_project_access(user: User, project) -> bool:
    """
-    Check if user has access to a project based on security level.
+    Check if user has access to a project based on security level and membership.

-    Security Levels:
-    - public: All logged-in users
-    - department: Same department users + project owner
-    - confidential: Only project owner (+ system admin)
+    Access is granted if any of the following conditions are met:
+    1. User is a system admin
+    2. User is the project owner
+    3. User is an explicit project member (cross-department collaboration)
+    4. Security level allows access:
+       - public: All logged-in users
+       - department: Same department users
+       - confidential: Only owner/members/admin
    """
    # System admin bypasses all restrictions
    if user.is_system_admin:
@@ -222,6 +226,13 @@ def check_project_access(user: User, project) -> bool:
    if project.owner_id == user.id:
        return True

+    # Check if user is an explicit project member (for cross-department collaboration)
+    # This allows users from other departments to access the project
+    if hasattr(project, 'members') and project.members:
+        for member in project.members:
+            if member.user_id == user.id:
+                return True
+
    # Check by security level
    security_level = project.security_level

@@ -235,20 +246,34 @@ def check_project_access(user: User, project) -> bool:
        return False

    else:  # confidential
-        # Only owner has access (already checked above)
+        # Only owner/members have access (already checked above)
        return False


 def check_project_edit_access(user: User, project) -> bool:
    """
    Check if user can edit/delete a project.
+
+    Edit access is granted if:
+    1. User is a system admin
+    2. User is the project owner
+    3. User is a project member with 'admin' role
    """
    # System admin has full access
    if user.is_system_admin:
        return True

-    # Only owner can edit
-    return project.owner_id == user.id
+    # Owner can edit
+    if project.owner_id == user.id:
+        return True
+
+    # Project member with admin role can edit
+    if hasattr(project, 'members') and project.members:
+        for member in project.members:
+            if member.user_id == user.id and member.role == "admin":
+                return True
+
+    return False


 def check_task_access(user: User, task, project) -> bool: