feat: complete issue fixes and implement remaining features

## Critical Issues (CRIT-001~003) - All Fixed - JWT secret key validation with pydantic field_validator - Login audit logging for success/failure attempts - Frontend API path prefix removal ## High Priority Issues (HIGH-001~008) - All Fixed - Project soft delete using is_active flag - Redis session token bytes handling - Rate limiting with slowapi (5 req/min for login) - Attachment API permission checks - Kanban view with drag-and-drop - Workload heatmap UI (WorkloadPage, WorkloadHeatmap) - TaskDetailModal integrating Comments/Attachments - UserSelect component for task assignment ## Medium Priority Issues (MED-001~012) - All Fixed - MED-001~005: DB commits, N+1 queries, datetime, error format, blocker flag - MED-006: Project health dashboard (HealthService, ProjectHealthPage) - MED-007: Capacity update API (PUT /api/users/{id}/capacity) - MED-008: Schedule triggers (cron parsing, deadline reminders) - MED-009: Watermark feature (image/PDF watermarking) - MED-010~012: useEffect deps, DOM operations, PDF export ## New Files - backend/app/api/health/ - Project health API - backend/app/services/health_service.py - backend/app/services/trigger_scheduler.py - backend/app/services/watermark_service.py - backend/app/core/rate_limiter.py - frontend/src/pages/ProjectHealthPage.tsx - frontend/src/components/ProjectHealthCard.tsx - frontend/src/components/KanbanBoard.tsx - frontend/src/components/WorkloadHeatmap.tsx ## Tests - 113 new tests passing (health: 32, users: 14, triggers: 35, watermark: 32) ## OpenSpec Archives - add-project-health-dashboard - add-capacity-update-api - add-schedule-triggers - add-watermark-feature - add-rate-limiting - enhance-frontend-ux - add-resource-management-ui 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-04 21:49:52 +08:00
parent 64874d5425
commit 9b220523ff
90 changed files with 9426 additions and 194 deletions
--- a/backend/app/api/users/router.py
+++ b/backend/app/api/users/router.py
@@ -4,10 +4,11 @@ from sqlalchemy import or_
 from typing import List

 from app.core.database import get_db
+from app.core.redis import get_redis
 from app.models.user import User
 from app.models.role import Role
 from app.models import AuditAction
-from app.schemas.user import UserResponse, UserUpdate
+from app.schemas.user import UserResponse, UserUpdate, CapacityUpdate
 from app.middleware.auth import (
    get_current_user,
    require_permission,
@@ -239,3 +240,86 @@ async def set_admin_status(
    db.commit()
    db.refresh(user)
    return user
+
+
+@router.put("/{user_id}/capacity", response_model=UserResponse)
+async def update_user_capacity(
+    user_id: str,
+    capacity: CapacityUpdate,
+    request: Request,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+    redis_client=Depends(get_redis),
+):
+    """
+    Update user's weekly capacity hours.
+
+    Permission: admin, manager, or the user themselves can update capacity.
+    - Admin/Manager can update any user's capacity
+    - Regular users can only update their own capacity
+
+    Capacity changes are recorded in the audit trail and workload cache is invalidated.
+    """
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found",
+        )
+
+    # Permission check: admin, manager, or the user themselves can update capacity
+    is_self = current_user.id == user_id
+    is_admin = current_user.is_system_admin
+    is_manager = False
+
+    # Check if current user has manager role
+    if current_user.role and current_user.role.name == "manager":
+        is_manager = True
+
+    if not is_self and not is_admin and not is_manager:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admin, manager, or the user themselves can update capacity",
+        )
+
+    # Store old capacity for audit log
+    old_capacity = float(user.capacity) if user.capacity else None
+
+    # Update capacity (validation is handled by Pydantic schema)
+    user.capacity = capacity.capacity_hours
+    new_capacity = float(capacity.capacity_hours)
+
+    # Record capacity change in audit trail
+    if old_capacity != new_capacity:
+        AuditService.log_event(
+            db=db,
+            event_type="user.capacity_change",
+            resource_type="user",
+            action=AuditAction.UPDATE,
+            user_id=current_user.id,
+            resource_id=user.id,
+            changes=[{
+                "field": "capacity",
+                "old_value": old_capacity,
+                "new_value": new_capacity
+            }],
+            request_metadata=get_audit_metadata(request),
+        )
+
+    db.commit()
+    db.refresh(user)
+
+    # Invalidate workload cache for this user
+    # Cache keys follow pattern: workload:{user_id}:* or workload:heatmap:*
+    try:
+        # Delete user-specific workload cache
+        for key in redis_client.scan_iter(f"workload:{user_id}:*"):
+            redis_client.delete(key)
+        # Delete heatmap cache (contains all users' workload data)
+        for key in redis_client.scan_iter("workload:heatmap:*"):
+            redis_client.delete(key)
+    except Exception:
+        # Cache invalidation failure should not fail the request
+        pass
+
+    return user