feat: implement task management module

Backend (FastAPI): - Database migration for spaces, projects, task_statuses, tasks tables - SQLAlchemy models with relationships - Pydantic schemas for CRUD operations - Spaces API: CRUD with soft delete - Projects API: CRUD with auto-created default statuses - Tasks API: CRUD, status change, assign, subtask support - Permission middleware with Security Level filtering - Subtask depth limit (max 2 levels) Frontend (React + Vite): - Layout component with navigation - Spaces list page - Projects list page - Tasks list page with status management Fixes: - auth_client.py: use 'username' field for external API - config.py: extend JWT expiry to 7 days - auth/router.py: sync Redis session with JWT expiry Tests: 36 passed (unit + integration) E2E: All APIs verified with real authentication OpenSpec: add-task-management archived 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-29 00:31:34 +08:00
parent 1fda7da2c2
commit daca7798e3
41 changed files with 3616 additions and 13 deletions
--- a/backend/app/api/projects/router.py
+++ b/backend/app/api/projects/router.py
@@ -0,0 +1,273 @@
+import uuid
+from typing import List
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+
+from app.core.database import get_db
+from app.models import User, Space, Project, TaskStatus
+from app.models.task_status import DEFAULT_STATUSES
+from app.schemas.project import ProjectCreate, ProjectUpdate, ProjectResponse, ProjectWithDetails
+from app.schemas.task_status import TaskStatusResponse
+from app.middleware.auth import (
+    get_current_user, check_space_access, check_space_edit_access,
+    check_project_access, check_project_edit_access
+)
+
+router = APIRouter(tags=["projects"])
+
+
+def create_default_statuses(db: Session, project_id: str):
+    """Create default task statuses for a new project."""
+    for status_data in DEFAULT_STATUSES:
+        status = TaskStatus(
+            id=str(uuid.uuid4()),
+            project_id=project_id,
+            **status_data
+        )
+        db.add(status)
+
+
+@router.get("/api/spaces/{space_id}/projects", response_model=List[ProjectWithDetails])
+async def list_projects_in_space(
+    space_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    List all projects in a space that the user can access.
+    """
+    space = db.query(Space).filter(Space.id == space_id, Space.is_active == True).first()
+
+    if not space:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Space not found",
+        )
+
+    if not check_space_access(current_user, space):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied",
+        )
+
+    projects = db.query(Project).filter(Project.space_id == space_id).all()
+
+    # Filter by project access
+    accessible_projects = [p for p in projects if check_project_access(current_user, p)]
+
+    result = []
+    for project in accessible_projects:
+        task_count = len(project.tasks) if project.tasks else 0
+        result.append(ProjectWithDetails(
+            id=project.id,
+            space_id=project.space_id,
+            title=project.title,
+            description=project.description,
+            owner_id=project.owner_id,
+            budget=project.budget,
+            start_date=project.start_date,
+            end_date=project.end_date,
+            security_level=project.security_level,
+            status=project.status,
+            department_id=project.department_id,
+            created_at=project.created_at,
+            updated_at=project.updated_at,
+            owner_name=project.owner.name if project.owner else None,
+            space_name=project.space.name if project.space else None,
+            department_name=project.department.name if project.department else None,
+            task_count=task_count,
+        ))
+
+    return result
+
+
+@router.post("/api/spaces/{space_id}/projects", response_model=ProjectResponse, status_code=status.HTTP_201_CREATED)
+async def create_project(
+    space_id: str,
+    project_data: ProjectCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    Create a new project in a space.
+    """
+    space = db.query(Space).filter(Space.id == space_id, Space.is_active == True).first()
+
+    if not space:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Space not found",
+        )
+
+    if not check_space_access(current_user, space):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied",
+        )
+
+    project = Project(
+        id=str(uuid.uuid4()),
+        space_id=space_id,
+        title=project_data.title,
+        description=project_data.description,
+        owner_id=current_user.id,
+        budget=project_data.budget,
+        start_date=project_data.start_date,
+        end_date=project_data.end_date,
+        security_level=project_data.security_level.value if project_data.security_level else "department",
+        department_id=project_data.department_id or current_user.department_id,
+    )
+
+    db.add(project)
+    db.flush()  # Get the project ID
+
+    # Create default task statuses
+    create_default_statuses(db, project.id)
+
+    db.commit()
+    db.refresh(project)
+
+    return project
+
+
+@router.get("/api/projects/{project_id}", response_model=ProjectWithDetails)
+async def get_project(
+    project_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    Get a project by ID.
+    """
+    project = db.query(Project).filter(Project.id == project_id).first()
+
+    if not project:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Project not found",
+        )
+
+    if not check_project_access(current_user, project):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied",
+        )
+
+    task_count = len(project.tasks) if project.tasks else 0
+
+    return ProjectWithDetails(
+        id=project.id,
+        space_id=project.space_id,
+        title=project.title,
+        description=project.description,
+        owner_id=project.owner_id,
+        budget=project.budget,
+        start_date=project.start_date,
+        end_date=project.end_date,
+        security_level=project.security_level,
+        status=project.status,
+        department_id=project.department_id,
+        created_at=project.created_at,
+        updated_at=project.updated_at,
+        owner_name=project.owner.name if project.owner else None,
+        space_name=project.space.name if project.space else None,
+        department_name=project.department.name if project.department else None,
+        task_count=task_count,
+    )
+
+
+@router.patch("/api/projects/{project_id}", response_model=ProjectResponse)
+async def update_project(
+    project_id: str,
+    project_data: ProjectUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    Update a project.
+    """
+    project = db.query(Project).filter(Project.id == project_id).first()
+
+    if not project:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Project not found",
+        )
+
+    if not check_project_edit_access(current_user, project):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only project owner can update",
+        )
+
+    # Update fields
+    update_data = project_data.model_dump(exclude_unset=True)
+    for field, value in update_data.items():
+        if field == "security_level" and value:
+            setattr(project, field, value.value)
+        else:
+            setattr(project, field, value)
+
+    db.commit()
+    db.refresh(project)
+
+    return project
+
+
+@router.delete("/api/projects/{project_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_project(
+    project_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    Delete a project (hard delete, cascades to tasks).
+    """
+    project = db.query(Project).filter(Project.id == project_id).first()
+
+    if not project:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Project not found",
+        )
+
+    if not check_project_edit_access(current_user, project):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only project owner can delete",
+        )
+
+    db.delete(project)
+    db.commit()
+
+    return None
+
+
+@router.get("/api/projects/{project_id}/statuses", response_model=List[TaskStatusResponse])
+async def list_project_statuses(
+    project_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    List all task statuses for a project.
+    """
+    project = db.query(Project).filter(Project.id == project_id).first()
+
+    if not project:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Project not found",
+        )
+
+    if not check_project_access(current_user, project):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied",
+        )
+
+    statuses = db.query(TaskStatus).filter(
+        TaskStatus.project_id == project_id
+    ).order_by(TaskStatus.position).all()
+
+    return statuses