feat: complete issue fixes and implement remaining features

## Critical Issues (CRIT-001~003) - All Fixed - JWT secret key validation with pydantic field_validator - Login audit logging for success/failure attempts - Frontend API path prefix removal ## High Priority Issues (HIGH-001~008) - All Fixed - Project soft delete using is_active flag - Redis session token bytes handling - Rate limiting with slowapi (5 req/min for login) - Attachment API permission checks - Kanban view with drag-and-drop - Workload heatmap UI (WorkloadPage, WorkloadHeatmap) - TaskDetailModal integrating Comments/Attachments - UserSelect component for task assignment ## Medium Priority Issues (MED-001~012) - All Fixed - MED-001~005: DB commits, N+1 queries, datetime, error format, blocker flag - MED-006: Project health dashboard (HealthService, ProjectHealthPage) - MED-007: Capacity update API (PUT /api/users/{id}/capacity) - MED-008: Schedule triggers (cron parsing, deadline reminders) - MED-009: Watermark feature (image/PDF watermarking) - MED-010~012: useEffect deps, DOM operations, PDF export ## New Files - backend/app/api/health/ - Project health API - backend/app/services/health_service.py - backend/app/services/trigger_scheduler.py - backend/app/services/watermark_service.py - backend/app/core/rate_limiter.py - frontend/src/pages/ProjectHealthPage.tsx - frontend/src/components/ProjectHealthCard.tsx - frontend/src/components/KanbanBoard.tsx - frontend/src/components/WorkloadHeatmap.tsx ## Tests - 113 new tests passing (health: 32, users: 14, triggers: 35, watermark: 32) ## OpenSpec Archives - add-project-health-dashboard - add-capacity-update-api - add-schedule-triggers - add-watermark-feature - add-rate-limiting - enhance-frontend-ux - add-resource-management-ui 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-04 21:49:52 +08:00
parent 64874d5425
commit 9b220523ff
90 changed files with 9426 additions and 194 deletions
--- a/backend/tests/test_users.py
+++ b/backend/tests/test_users.py
@@ -93,6 +93,263 @@ class TestUserEndpoints:
        assert response.status_code == 403


+class TestCapacityUpdate:
+    """Test user capacity update API endpoint."""
+
+    def test_update_own_capacity(self, client, db, mock_redis):
+        """Test that a user can update their own capacity."""
+        from app.core.security import create_access_token, create_token_payload
+
+        # Create a test user
+        test_user = User(
+            id="capacity-user-001",
+            email="capacityuser@example.com",
+            name="Capacity User",
+            is_active=True,
+            capacity=40.00,
+        )
+        db.add(test_user)
+        db.commit()
+
+        # Create token for the user
+        token_data = create_token_payload(
+            user_id="capacity-user-001",
+            email="capacityuser@example.com",
+            role="engineer",
+            department_id=None,
+            is_system_admin=False,
+        )
+        token = create_access_token(token_data)
+        mock_redis.setex("session:capacity-user-001", 900, token)
+
+        # Update own capacity
+        response = client.put(
+            "/api/users/capacity-user-001/capacity",
+            headers={"Authorization": f"Bearer {token}"},
+            json={"capacity_hours": 35.5},
+        )
+        assert response.status_code == 200
+        data = response.json()
+        assert float(data["capacity"]) == 35.5
+
+    def test_admin_can_update_other_user_capacity(self, client, admin_token, db):
+        """Test that admin can update another user's capacity."""
+        # Create a test user
+        test_user = User(
+            id="capacity-user-002",
+            email="capacityuser2@example.com",
+            name="Capacity User 2",
+            is_active=True,
+            capacity=40.00,
+        )
+        db.add(test_user)
+        db.commit()
+
+        # Admin updates another user's capacity
+        response = client.put(
+            "/api/users/capacity-user-002/capacity",
+            headers={"Authorization": f"Bearer {admin_token}"},
+            json={"capacity_hours": 20.0},
+        )
+        assert response.status_code == 200
+        data = response.json()
+        assert float(data["capacity"]) == 20.0
+
+    def test_non_admin_cannot_update_other_user_capacity(self, client, db, mock_redis):
+        """Test that a non-admin user cannot update another user's capacity."""
+        from app.core.security import create_access_token, create_token_payload
+
+        # Create two test users
+        user1 = User(
+            id="capacity-user-003",
+            email="capacityuser3@example.com",
+            name="Capacity User 3",
+            is_active=True,
+            capacity=40.00,
+        )
+        user2 = User(
+            id="capacity-user-004",
+            email="capacityuser4@example.com",
+            name="Capacity User 4",
+            is_active=True,
+            capacity=40.00,
+        )
+        db.add_all([user1, user2])
+        db.commit()
+
+        # Create token for user1
+        token_data = create_token_payload(
+            user_id="capacity-user-003",
+            email="capacityuser3@example.com",
+            role="engineer",
+            department_id=None,
+            is_system_admin=False,
+        )
+        token = create_access_token(token_data)
+        mock_redis.setex("session:capacity-user-003", 900, token)
+
+        # User1 tries to update user2's capacity - should fail
+        response = client.put(
+            "/api/users/capacity-user-004/capacity",
+            headers={"Authorization": f"Bearer {token}"},
+            json={"capacity_hours": 30.0},
+        )
+        assert response.status_code == 403
+        assert "Only admin, manager, or the user themselves" in response.json()["detail"]
+
+    def test_update_capacity_invalid_value_negative(self, client, admin_token, db):
+        """Test that negative capacity hours are rejected."""
+        # Create a test user
+        test_user = User(
+            id="capacity-user-005",
+            email="capacityuser5@example.com",
+            name="Capacity User 5",
+            is_active=True,
+            capacity=40.00,
+        )
+        db.add(test_user)
+        db.commit()
+
+        response = client.put(
+            "/api/users/capacity-user-005/capacity",
+            headers={"Authorization": f"Bearer {admin_token}"},
+            json={"capacity_hours": -5.0},
+        )
+        # Pydantic validation returns 422 Unprocessable Entity
+        assert response.status_code == 422
+        error_detail = response.json()["detail"]
+        # Check validation error message in Pydantic format
+        assert any("non-negative" in str(err).lower() for err in error_detail)
+
+    def test_update_capacity_invalid_value_too_high(self, client, admin_token, db):
+        """Test that capacity hours exceeding 168 are rejected."""
+        # Create a test user
+        test_user = User(
+            id="capacity-user-006",
+            email="capacityuser6@example.com",
+            name="Capacity User 6",
+            is_active=True,
+            capacity=40.00,
+        )
+        db.add(test_user)
+        db.commit()
+
+        response = client.put(
+            "/api/users/capacity-user-006/capacity",
+            headers={"Authorization": f"Bearer {admin_token}"},
+            json={"capacity_hours": 200.0},
+        )
+        # Pydantic validation returns 422 Unprocessable Entity
+        assert response.status_code == 422
+        error_detail = response.json()["detail"]
+        # Check validation error message in Pydantic format
+        assert any("168" in str(err) for err in error_detail)
+
+    def test_update_capacity_nonexistent_user(self, client, admin_token):
+        """Test updating capacity for a nonexistent user."""
+        response = client.put(
+            "/api/users/nonexistent-user-id/capacity",
+            headers={"Authorization": f"Bearer {admin_token}"},
+            json={"capacity_hours": 40.0},
+        )
+        assert response.status_code == 404
+        assert "User not found" in response.json()["detail"]
+
+    def test_manager_can_update_other_user_capacity(self, client, db, mock_redis):
+        """Test that manager can update another user's capacity."""
+        from app.core.security import create_access_token, create_token_payload
+        from app.models.role import Role
+
+        # Create manager role if not exists
+        manager_role = db.query(Role).filter(Role.name == "manager").first()
+        if not manager_role:
+            manager_role = Role(
+                id="manager-role-cap",
+                name="manager",
+                permissions={"users.read": True, "users.write": True},
+            )
+            db.add(manager_role)
+            db.commit()
+
+        # Create a manager user
+        manager_user = User(
+            id="manager-cap-001",
+            email="managercap@example.com",
+            name="Manager Cap",
+            role_id=manager_role.id,
+            is_active=True,
+            is_system_admin=False,
+        )
+        # Create a regular user
+        regular_user = User(
+            id="regular-cap-001",
+            email="regularcap@example.com",
+            name="Regular Cap",
+            is_active=True,
+            capacity=40.00,
+        )
+        db.add_all([manager_user, regular_user])
+        db.commit()
+
+        # Create token for manager
+        token_data = create_token_payload(
+            user_id="manager-cap-001",
+            email="managercap@example.com",
+            role="manager",
+            department_id=None,
+            is_system_admin=False,
+        )
+        token = create_access_token(token_data)
+        mock_redis.setex("session:manager-cap-001", 900, token)
+
+        # Manager updates regular user's capacity
+        response = client.put(
+            "/api/users/regular-cap-001/capacity",
+            headers={"Authorization": f"Bearer {token}"},
+            json={"capacity_hours": 30.0},
+        )
+        assert response.status_code == 200
+        data = response.json()
+        assert float(data["capacity"]) == 30.0
+
+    def test_capacity_change_creates_audit_log(self, client, admin_token, db):
+        """Test that capacity changes are recorded in audit trail."""
+        from app.models import AuditLog
+
+        # Create a test user
+        test_user = User(
+            id="capacity-audit-001",
+            email="capacityaudit@example.com",
+            name="Capacity Audit User",
+            is_active=True,
+            capacity=40.00,
+        )
+        db.add(test_user)
+        db.commit()
+
+        # Update capacity
+        response = client.put(
+            "/api/users/capacity-audit-001/capacity",
+            headers={"Authorization": f"Bearer {admin_token}"},
+            json={"capacity_hours": 35.0},
+        )
+        assert response.status_code == 200
+
+        # Check audit log was created
+        audit_log = db.query(AuditLog).filter(
+            AuditLog.resource_id == "capacity-audit-001",
+            AuditLog.event_type == "user.capacity_change"
+        ).first()
+
+        assert audit_log is not None
+        assert audit_log.resource_type == "user"
+        assert audit_log.action == "update"
+        assert len(audit_log.changes) == 1
+        assert audit_log.changes[0]["field"] == "capacity"
+        assert audit_log.changes[0]["old_value"] == 40.0
+        assert audit_log.changes[0]["new_value"] == 35.0
+
+
 class TestDepartmentIsolation:
    """Test department-based access control."""