fix(projects): audit pass — 8 correctness and consistency fixes
- Project.to_dict() now includes user_id and auto_summary - Status validation unified to (active/completed/archived) on both create and update project routes; update route previously had none - Milestone routes: replace get_project (ownership-only) with get_project_for_user so shared viewers/editors can access milestones - Add get_milestone_in_project() to milestones service for project- scoped lookup without user_id filter; all milestone routes use it - Milestone PATCH now validates status as 'active'|'done'; fix tool enum which was wrongly ['active','completed','cancelled'] - Write mutation routes (POST/PATCH/DELETE milestones) now check can_write_project() and return 403 for read-only shared users - update_project tool now exposes title and color fields so projects can be renamed or recolored via chat - create_project tool now exposes color field - GET /api/projects?include_summary=true embeds summaries in one backend pass; ProjectListView switches to this, eliminating N+1 per-project fetches Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -5,16 +5,17 @@ from quart import Blueprint, jsonify, request
|
||||
|
||||
from fabledassistant.auth import login_required, get_current_user_id
|
||||
from fabledassistant.routes.utils import not_found, parse_pagination
|
||||
from fabledassistant.services.access import can_write_project
|
||||
from fabledassistant.services.milestones import (
|
||||
create_milestone,
|
||||
delete_milestone,
|
||||
get_milestone,
|
||||
get_milestone_in_project,
|
||||
get_milestone_progress,
|
||||
list_milestones,
|
||||
update_milestone,
|
||||
)
|
||||
from fabledassistant.services.notes import list_notes
|
||||
from fabledassistant.services.projects import get_project
|
||||
from fabledassistant.services.projects import get_project_for_user
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -31,22 +32,25 @@ async def _milestone_dict(m) -> dict:
|
||||
@login_required
|
||||
async def list_milestones_route(project_id: int):
|
||||
uid = get_current_user_id()
|
||||
project = await get_project(uid, project_id)
|
||||
if project is None:
|
||||
result = await get_project_for_user(uid, project_id)
|
||||
if result is None:
|
||||
return not_found("Project")
|
||||
project, _ = result
|
||||
# List milestones using the project owner's uid so ownership filter matches
|
||||
owner_uid = project.user_id or uid
|
||||
status = request.args.get("status")
|
||||
milestones = await list_milestones(uid, project_id, status=status)
|
||||
result = [await _milestone_dict(m) for m in milestones]
|
||||
return jsonify({"milestones": result})
|
||||
milestones = await list_milestones(owner_uid, project_id, status=status)
|
||||
return jsonify({"milestones": [await _milestone_dict(m) for m in milestones]})
|
||||
|
||||
|
||||
@milestones_bp.route("/<int:project_id>/milestones", methods=["POST"])
|
||||
@login_required
|
||||
async def create_milestone_route(project_id: int):
|
||||
uid = get_current_user_id()
|
||||
project = await get_project(uid, project_id)
|
||||
if project is None:
|
||||
if await get_project_for_user(uid, project_id) is None:
|
||||
return not_found("Project")
|
||||
if not await can_write_project(uid, project_id):
|
||||
return jsonify({"error": "Permission denied"}), 403
|
||||
data = await request.get_json()
|
||||
if not data.get("title"):
|
||||
return jsonify({"error": "title is required"}), 400
|
||||
@@ -68,8 +72,10 @@ async def create_milestone_route(project_id: int):
|
||||
@login_required
|
||||
async def get_milestone_route(project_id: int, milestone_id: int):
|
||||
uid = get_current_user_id()
|
||||
milestone = await get_milestone(uid, milestone_id)
|
||||
if milestone is None or milestone.project_id != project_id:
|
||||
if await get_project_for_user(uid, project_id) is None:
|
||||
return not_found("Project")
|
||||
milestone = await get_milestone_in_project(project_id, milestone_id)
|
||||
if milestone is None:
|
||||
return not_found("Milestone")
|
||||
return jsonify(await _milestone_dict(milestone))
|
||||
|
||||
@@ -78,13 +84,19 @@ async def get_milestone_route(project_id: int, milestone_id: int):
|
||||
@login_required
|
||||
async def update_milestone_route(project_id: int, milestone_id: int):
|
||||
uid = get_current_user_id()
|
||||
milestone = await get_milestone(uid, milestone_id)
|
||||
if milestone is None or milestone.project_id != project_id:
|
||||
if await get_project_for_user(uid, project_id) is None:
|
||||
return not_found("Project")
|
||||
if not await can_write_project(uid, project_id):
|
||||
return jsonify({"error": "Permission denied"}), 403
|
||||
milestone = await get_milestone_in_project(project_id, milestone_id)
|
||||
if milestone is None:
|
||||
return not_found("Milestone")
|
||||
data = await request.get_json()
|
||||
allowed = {"title", "description", "status", "order_index"}
|
||||
fields = {k: v for k, v in data.items() if k in allowed}
|
||||
updated = await update_milestone(uid, milestone_id, **fields)
|
||||
if "status" in fields and fields["status"] not in ("active", "done"):
|
||||
return jsonify({"error": "status must be 'active' or 'done'"}), 400
|
||||
updated = await update_milestone(milestone.user_id, milestone_id, **fields)
|
||||
if updated is None:
|
||||
return not_found("Milestone")
|
||||
return jsonify(await _milestone_dict(updated))
|
||||
@@ -94,10 +106,14 @@ async def update_milestone_route(project_id: int, milestone_id: int):
|
||||
@login_required
|
||||
async def delete_milestone_route(project_id: int, milestone_id: int):
|
||||
uid = get_current_user_id()
|
||||
milestone = await get_milestone(uid, milestone_id)
|
||||
if milestone is None or milestone.project_id != project_id:
|
||||
if await get_project_for_user(uid, project_id) is None:
|
||||
return not_found("Project")
|
||||
if not await can_write_project(uid, project_id):
|
||||
return jsonify({"error": "Permission denied"}), 403
|
||||
milestone = await get_milestone_in_project(project_id, milestone_id)
|
||||
if milestone is None:
|
||||
return not_found("Milestone")
|
||||
deleted = await delete_milestone(uid, milestone_id)
|
||||
deleted = await delete_milestone(milestone.user_id, milestone_id)
|
||||
if not deleted:
|
||||
return not_found("Milestone")
|
||||
return "", 204
|
||||
@@ -107,13 +123,15 @@ async def delete_milestone_route(project_id: int, milestone_id: int):
|
||||
@login_required
|
||||
async def get_milestone_tasks_route(project_id: int, milestone_id: int):
|
||||
uid = get_current_user_id()
|
||||
milestone = await get_milestone(uid, milestone_id)
|
||||
if milestone is None or milestone.project_id != project_id:
|
||||
if await get_project_for_user(uid, project_id) is None:
|
||||
return not_found("Project")
|
||||
milestone = await get_milestone_in_project(project_id, milestone_id)
|
||||
if milestone is None:
|
||||
return not_found("Milestone")
|
||||
status_filter = request.args.get("status")
|
||||
limit, offset = parse_pagination(default_limit=100)
|
||||
notes, total = await list_notes(
|
||||
uid,
|
||||
milestone.user_id,
|
||||
is_task=True,
|
||||
status=status_filter,
|
||||
milestone_id=milestone_id,
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
"""Project management routes."""
|
||||
import asyncio
|
||||
import logging
|
||||
|
||||
from quart import Blueprint, jsonify, request
|
||||
@@ -27,7 +28,19 @@ projects_bp = Blueprint("projects", __name__, url_prefix="/api/projects")
|
||||
async def list_projects_route():
|
||||
uid = get_current_user_id()
|
||||
status = request.args.get("status")
|
||||
include_summary = request.args.get("include_summary", "").lower() in ("1", "true")
|
||||
projects = await list_projects_for_user(uid, status=status)
|
||||
if include_summary:
|
||||
# Fetch all summaries in parallel — one backend pass instead of N+1 frontend calls
|
||||
async def _attach(project_dict: dict) -> dict:
|
||||
try:
|
||||
owner_uid = project_dict.get("user_id") or uid # user_id now in to_dict()
|
||||
summary = await get_project_summary(owner_uid, project_dict["id"])
|
||||
project_dict["summary"] = summary
|
||||
except Exception:
|
||||
pass
|
||||
return project_dict
|
||||
projects = list(await asyncio.gather(*[_attach(p) for p in projects]))
|
||||
return jsonify({"projects": projects})
|
||||
|
||||
|
||||
@@ -39,8 +52,8 @@ async def create_project_route():
|
||||
if not data.get("title"):
|
||||
return jsonify({"error": "title is required"}), 400
|
||||
status = data.get("status", "active")
|
||||
if status not in ("active", "archived"):
|
||||
return jsonify({"error": "status must be 'active' or 'archived'"}), 400
|
||||
if status not in ("active", "completed", "archived"):
|
||||
return jsonify({"error": "status must be 'active', 'completed', or 'archived'"}), 400
|
||||
project = await create_project(
|
||||
uid,
|
||||
title=data["title"],
|
||||
@@ -76,6 +89,8 @@ async def update_project_route(project_id: int):
|
||||
data = await request.get_json()
|
||||
allowed = {"title", "description", "goal", "status", "color"}
|
||||
fields = {k: v for k, v in data.items() if k in allowed}
|
||||
if "status" in fields and fields["status"] not in ("active", "completed", "archived"):
|
||||
return jsonify({"error": "status must be 'active', 'completed', or 'archived'"}), 400
|
||||
project = await update_project(uid, project_id, **fields)
|
||||
if project is None:
|
||||
return not_found("Project")
|
||||
|
||||
Reference in New Issue
Block a user