feat(projects): editable notes with edit stamp + NoteCard bubble component
- author-only note editing (PUT /projects/:id/notes/:noteId, strict schema, audit with old/new content); edits stamped via new edited_at column (migration 20260612160000) and shown as '· upraveno <datum>' - note deletion tightened to admin-only server-side (was any projects.edit holder via direct API) - new NoteCard component: chat-bubble note row (initials avatar, wrapping header, inline editor, actions in the bubble corner so they don't squeeze content on mobile), table-matching edit/delete icons - Odin project detail carries the edited_at stamp; route-level tests cover author-edit, foreign-edit 403, validation, admin-only delete Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -9,6 +9,7 @@ import {
|
||||
UpdateProjectSchema,
|
||||
CreateProjectSchema,
|
||||
CreateProjectNoteSchema,
|
||||
UpdateProjectNoteSchema,
|
||||
} from "../../schemas/projects.schema";
|
||||
import {
|
||||
listProjects,
|
||||
@@ -19,6 +20,7 @@ import {
|
||||
deleteProject,
|
||||
createProjectNote,
|
||||
deleteProjectNote,
|
||||
updateProjectNote,
|
||||
} from "../../services/projects.service";
|
||||
|
||||
// Body for DELETE /:id — optional delete_files flag. The body may be absent on
|
||||
@@ -174,7 +176,47 @@ export default async function projectsRoutes(
|
||||
},
|
||||
);
|
||||
|
||||
// DELETE /api/admin/projects/:id/notes/:noteId
|
||||
// PUT /api/admin/projects/:id/notes/:noteId — author-only edit; the edit
|
||||
// is visibly stamped (edited_at) so a changed note can't pose as original.
|
||||
fastify.put<{ Params: { id: string; noteId: string } }>(
|
||||
"/:id/notes/:noteId",
|
||||
{ preHandler: requirePermission("projects.edit") },
|
||||
async (request, reply) => {
|
||||
const noteId = parseId(request.params.noteId, reply);
|
||||
if (noteId === null) return;
|
||||
const projectId = parseId(request.params.id, reply);
|
||||
if (projectId === null) return;
|
||||
const parsed = parseBody(UpdateProjectNoteSchema, request.body);
|
||||
if ("error" in parsed) return error(reply, parsed.error, 400);
|
||||
const authData = request.authData!;
|
||||
|
||||
const result = await updateProjectNote(
|
||||
projectId,
|
||||
noteId,
|
||||
authData.userId,
|
||||
parsed.data.content,
|
||||
);
|
||||
if (!result) return error(reply, "Poznámka nenalezena", 404);
|
||||
if (result.error !== undefined) {
|
||||
return error(reply, result.error, result.status ?? 403);
|
||||
}
|
||||
|
||||
await logAudit({
|
||||
request,
|
||||
authData,
|
||||
action: "update",
|
||||
entityType: "project",
|
||||
entityId: projectId,
|
||||
description: `Upravena poznámka projektu`,
|
||||
oldValues: { content: result.previousContent },
|
||||
newValues: { content: result.note.content },
|
||||
});
|
||||
return success(reply, { note: result.note }, 200, "Poznámka upravena");
|
||||
},
|
||||
);
|
||||
|
||||
// DELETE /api/admin/projects/:id/notes/:noteId — admin only (user
|
||||
// decision: authors edit their notes, only an admin removes anyone's).
|
||||
fastify.delete<{ Params: { id: string; noteId: string } }>(
|
||||
"/:id/notes/:noteId",
|
||||
{ preHandler: requirePermission("projects.edit") },
|
||||
@@ -183,6 +225,9 @@ export default async function projectsRoutes(
|
||||
if (noteId === null) return;
|
||||
const projectId = parseId(request.params.id, reply);
|
||||
if (projectId === null) return;
|
||||
if (request.authData!.roleName !== "admin") {
|
||||
return error(reply, "Poznámky může mazat pouze administrátor", 403);
|
||||
}
|
||||
|
||||
const note = await deleteProjectNote(projectId, noteId);
|
||||
if (!note) return error(reply, "Poznámka nenalezena", 404);
|
||||
|
||||
Reference in New Issue
Block a user