Fix #145: tree membership management (list / add / role / remove)
TreeMembership was enforced on every read/write but had no API or UI to manage
members — trees were effectively single-user, breaking full-CRUD (NN#8).
Backend (/trees/{id}/members): list (members only — the list exposes emails, so
non-members never see it, even on public trees); add an existing user by email
(owner only, 404 if no such account, 409 if already a member); PATCH role;
DELETE. A tree must always keep ≥1 owner (demote/remove of the sole owner → 409).
All changes audited.
Frontend: a Members page (owner gets add-by-email + per-member role select +
remove; others see a read-only list) and a sidebar entry.
Test covers the full lifecycle + every guard. Suite 77 passed.
Closes #145
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
This commit is contained in:
@@ -9,6 +9,7 @@ from app.api.v1 import (
|
||||
events,
|
||||
gedcom,
|
||||
media,
|
||||
members,
|
||||
names,
|
||||
persons,
|
||||
public,
|
||||
@@ -32,3 +33,4 @@ api_router.include_router(media.router)
|
||||
api_router.include_router(gedcom.router)
|
||||
api_router.include_router(cleanup.router)
|
||||
api_router.include_router(public.router)
|
||||
api_router.include_router(members.router)
|
||||
|
||||
@@ -0,0 +1,61 @@
|
||||
"""Tree membership management endpoints (owner-managed; members can list)."""
|
||||
|
||||
import uuid
|
||||
|
||||
from fastapi import APIRouter, status
|
||||
|
||||
from app.api.deps import CurrentUser, SessionDep
|
||||
from app.schemas.membership import MemberAdd, MemberRoleUpdate, MembershipRead
|
||||
from app.services import membership_service, tree_service
|
||||
|
||||
router = APIRouter(prefix="/trees", tags=["members"])
|
||||
|
||||
|
||||
@router.get("/{tree_id}/members", response_model=list[MembershipRead])
|
||||
async def list_members(
|
||||
tree_id: uuid.UUID, session: SessionDep, current: CurrentUser
|
||||
) -> list[MembershipRead]:
|
||||
tree = await tree_service.get_tree(session, viewer_id=current.id, tree_id=tree_id)
|
||||
rows = await membership_service.list_members(session, viewer_id=current.id, tree=tree)
|
||||
return [MembershipRead(**r) for r in rows]
|
||||
|
||||
|
||||
@router.post(
|
||||
"/{tree_id}/members", response_model=MembershipRead, status_code=status.HTTP_201_CREATED
|
||||
)
|
||||
async def add_member(
|
||||
tree_id: uuid.UUID, data: MemberAdd, session: SessionDep, current: CurrentUser
|
||||
) -> MembershipRead:
|
||||
tree = await tree_service.get_tree(session, viewer_id=current.id, tree_id=tree_id)
|
||||
row = await membership_service.add_member(
|
||||
session, actor=current, tree=tree, email=data.email, role=data.role
|
||||
)
|
||||
return MembershipRead(**row)
|
||||
|
||||
|
||||
@router.patch("/{tree_id}/members/{membership_id}", response_model=MembershipRead)
|
||||
async def update_member(
|
||||
tree_id: uuid.UUID,
|
||||
membership_id: uuid.UUID,
|
||||
data: MemberRoleUpdate,
|
||||
session: SessionDep,
|
||||
current: CurrentUser,
|
||||
) -> MembershipRead:
|
||||
tree = await tree_service.get_tree(session, viewer_id=current.id, tree_id=tree_id)
|
||||
row = await membership_service.update_member_role(
|
||||
session, actor=current, tree=tree, membership_id=membership_id, role=data.role
|
||||
)
|
||||
return MembershipRead(**row)
|
||||
|
||||
|
||||
@router.delete("/{tree_id}/members/{membership_id}", status_code=status.HTTP_204_NO_CONTENT)
|
||||
async def remove_member(
|
||||
tree_id: uuid.UUID,
|
||||
membership_id: uuid.UUID,
|
||||
session: SessionDep,
|
||||
current: CurrentUser,
|
||||
) -> None:
|
||||
tree = await tree_service.get_tree(session, viewer_id=current.id, tree_id=tree_id)
|
||||
await membership_service.remove_member(
|
||||
session, actor=current, tree=tree, membership_id=membership_id
|
||||
)
|
||||
Reference in New Issue
Block a user