feat: role-based permissions (owner/partner/associate/paralegal/secretary)
Backend: - auth/permissions.go: full permission matrix with RequirePermission/RequireRole middleware, CanEditCase, CanDeleteDocument helpers - auth/context.go: add user role to request context - auth/middleware.go: resolve role alongside tenant in auth flow - auth/tenant_resolver.go: verify membership + resolve role for X-Tenant-ID - handlers/case_assignments.go: CRUD for case-level user assignments - handlers/tenant_handler.go: UpdateMemberRole, GetMe (/api/me) endpoints - handlers/documents.go: permission-based delete (own vs all) - router/router.go: permission-wrapped routes for all endpoints - services/case_assignment_service.go: assign/unassign with tenant validation - services/tenant_service.go: UpdateMemberRole with owner protection - models/case_assignment.go: CaseAssignment model Database: - user_tenants.role: CHECK constraint (owner/partner/associate/paralegal/secretary) - case_assignments table: case_id, user_id, role (lead/team/viewer) - Migrated existing admin->partner, member->associate Frontend: - usePermissions hook: fetches /api/me, provides can() helper - TeamSettings: 5-role dropdown, role change, permission-gated invite - CaseAssignments: new component for case-level team management - Sidebar: conditionally hides AI/Settings based on permissions - Cases page: hides "Neue Akte" button for non-authorized roles - Case detail: new "Mitarbeiter" tab for assignment management
This commit is contained in:
m
@@ -117,14 +117,14 @@ func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
// Only owners and admins can invite
|
||||
// Only owners and partners can invite
|
||||
role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
|
||||
if err != nil {
|
||||
jsonError(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if role != "owner" && role != "admin" {
|
||||
jsonError(w, "only owners and admins can invite users", http.StatusForbidden)
|
||||
if role != "owner" && role != "partner" {
|
||||
jsonError(w, "only owners and partners can invite users", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -141,10 +141,15 @@ func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
if req.Role == "" {
|
||||
req.Role = "member"
|
||||
req.Role = "associate"
|
||||
}
|
||||
if req.Role != "member" && req.Role != "admin" {
|
||||
jsonError(w, "role must be member or admin", http.StatusBadRequest)
|
||||
if !auth.IsValidRole(req.Role) {
|
||||
jsonError(w, "invalid role", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
// Non-owners cannot invite as owner
|
||||
if role != "owner" && req.Role == "owner" {
|
||||
jsonError(w, "only owners can invite as owner", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -177,13 +182,13 @@ func (h *TenantHandler) RemoveMember(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
// Only owners and admins can remove members (or user removing themselves)
|
||||
// Only owners and partners can remove members (or user removing themselves)
|
||||
role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
|
||||
if err != nil {
|
||||
jsonError(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if role != "owner" && role != "admin" && userID != memberID {
|
||||
if role != "owner" && role != "partner" && userID != memberID {
|
||||
jsonError(w, "insufficient permissions", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
@@ -210,14 +215,14 @@ func (h *TenantHandler) UpdateSettings(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
// Only owners and admins can update settings
|
||||
// Only owners and partners can update settings
|
||||
role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
|
||||
if err != nil {
|
||||
jsonError(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if role != "owner" && role != "admin" {
|
||||
jsonError(w, "only owners and admins can update settings", http.StatusForbidden)
|
||||
if role != "owner" && role != "partner" {
|
||||
jsonError(w, "only owners and partners can update settings", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -270,6 +275,85 @@ func (h *TenantHandler) ListMembers(w http.ResponseWriter, r *http.Request) {
|
||||
jsonResponse(w, members, http.StatusOK)
|
||||
}
|
||||
|
||||
// UpdateMemberRole handles PUT /api/tenants/{id}/members/{uid}/role
|
||||
func (h *TenantHandler) UpdateMemberRole(w http.ResponseWriter, r *http.Request) {
|
||||
userID, ok := auth.UserFromContext(r.Context())
|
||||
if !ok {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
tenantID, err := uuid.Parse(r.PathValue("id"))
|
||||
if err != nil {
|
||||
jsonError(w, "invalid tenant ID", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
memberID, err := uuid.Parse(r.PathValue("uid"))
|
||||
if err != nil {
|
||||
jsonError(w, "invalid member ID", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
// Only owners and partners can change roles
|
||||
role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
|
||||
if err != nil {
|
||||
jsonError(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if role != "owner" && role != "partner" {
|
||||
jsonError(w, "only owners and partners can change roles", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
var req struct {
|
||||
Role string `json:"role"`
|
||||
}
|
||||
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||
jsonError(w, "invalid request body", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if !auth.IsValidRole(req.Role) {
|
||||
jsonError(w, "invalid role", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
// Non-owners cannot promote to owner
|
||||
if role != "owner" && req.Role == "owner" {
|
||||
jsonError(w, "only owners can promote to owner", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
if err := h.svc.UpdateMemberRole(r.Context(), tenantID, memberID, req.Role); err != nil {
|
||||
jsonError(w, err.Error(), http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
jsonResponse(w, map[string]string{"status": "updated"}, http.StatusOK)
|
||||
}
|
||||
|
||||
// GetMe handles GET /api/me — returns the current user's ID and role in the active tenant.
|
||||
func (h *TenantHandler) GetMe(w http.ResponseWriter, r *http.Request) {
|
||||
userID, ok := auth.UserFromContext(r.Context())
|
||||
if !ok {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
role := auth.UserRoleFromContext(r.Context())
|
||||
tenantID, _ := auth.TenantFromContext(r.Context())
|
||||
|
||||
// Get user's permissions for frontend UI
|
||||
perms := auth.GetRolePermissions(role)
|
||||
|
||||
jsonResponse(w, map[string]any{
|
||||
"user_id": userID,
|
||||
"tenant_id": tenantID,
|
||||
"role": role,
|
||||
"permissions": perms,
|
||||
}, http.StatusOK)
|
||||
}
|
||||
|
||||
func jsonResponse(w http.ResponseWriter, data interface{}, status int) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(status)
|
||||
|
||||
Reference in New Issue
Block a user