feat(projects): editable notes with edit stamp + NoteCard bubble component

- author-only note editing (PUT /projects/:id/notes/:noteId, strict schema,
  audit with old/new content); edits stamped via new edited_at column
  (migration 20260612160000) and shown as '· upraveno <datum>'
- note deletion tightened to admin-only server-side (was any projects.edit
  holder via direct API)
- new NoteCard component: chat-bubble note row (initials avatar, wrapping
  header, inline editor, actions in the bubble corner so they don't squeeze
  content on mobile), table-matching edit/delete icons
- Odin project detail carries the edited_at stamp; route-level tests cover
  author-edit, foreign-edit 403, validation, admin-only delete

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-06-12 16:26:38 +02:00
parent 6f3f1c40e7
commit 64bb7f9c37
10 changed files with 611 additions and 86 deletions

View File

@@ -9,6 +9,7 @@ import {
UpdateProjectSchema,
CreateProjectSchema,
CreateProjectNoteSchema,
UpdateProjectNoteSchema,
} from "../../schemas/projects.schema";
import {
listProjects,
@@ -19,6 +20,7 @@ import {
deleteProject,
createProjectNote,
deleteProjectNote,
updateProjectNote,
} from "../../services/projects.service";
// Body for DELETE /:id — optional delete_files flag. The body may be absent on
@@ -174,7 +176,47 @@ export default async function projectsRoutes(
},
);
// DELETE /api/admin/projects/:id/notes/:noteId
// PUT /api/admin/projects/:id/notes/:noteId — author-only edit; the edit
// is visibly stamped (edited_at) so a changed note can't pose as original.
fastify.put<{ Params: { id: string; noteId: string } }>(
"/:id/notes/:noteId",
{ preHandler: requirePermission("projects.edit") },
async (request, reply) => {
const noteId = parseId(request.params.noteId, reply);
if (noteId === null) return;
const projectId = parseId(request.params.id, reply);
if (projectId === null) return;
const parsed = parseBody(UpdateProjectNoteSchema, request.body);
if ("error" in parsed) return error(reply, parsed.error, 400);
const authData = request.authData!;
const result = await updateProjectNote(
projectId,
noteId,
authData.userId,
parsed.data.content,
);
if (!result) return error(reply, "Poznámka nenalezena", 404);
if (result.error !== undefined) {
return error(reply, result.error, result.status ?? 403);
}
await logAudit({
request,
authData,
action: "update",
entityType: "project",
entityId: projectId,
description: `Upravena poznámka projektu`,
oldValues: { content: result.previousContent },
newValues: { content: result.note.content },
});
return success(reply, { note: result.note }, 200, "Poznámka upravena");
},
);
// DELETE /api/admin/projects/:id/notes/:noteId — admin only (user
// decision: authors edit their notes, only an admin removes anyone's).
fastify.delete<{ Params: { id: string; noteId: string } }>(
"/:id/notes/:noteId",
{ preHandler: requirePermission("projects.edit") },
@@ -183,6 +225,9 @@ export default async function projectsRoutes(
if (noteId === null) return;
const projectId = parseId(request.params.id, reply);
if (projectId === null) return;
if (request.authData!.roleName !== "admin") {
return error(reply, "Poznámky může mazat pouze administrátor", 403);
}
const note = await deleteProjectNote(projectId, noteId);
if (!note) return error(reply, "Poznámka nenalezena", 404);