PiCloud

fabi/PiCloud

Fork 0

Commit Graph

Author	SHA1	Message	Date
MechaCat02	2948875a96	fix(api): make app_members POST and PATCH atomic The previous handlers did `find()` then `upsert()` in two round-trips: - POST: two concurrent grants both pass the duplicate check; the second `upsert` silently rewrites the role instead of returning 409, weakening the "409 on duplicate" contract under load. - PATCH: a concurrent DELETE between `find` and `upsert` makes PATCH silently re-create a row instead of returning 404, weakening the "404 if no existing membership" contract. Adds two repo primitives that fold the check into the write: - `try_insert` — `INSERT ... ON CONFLICT DO NOTHING RETURNING`; None return ⇒ already exists ⇒ 409. - `update_role` — `UPDATE ... WHERE app_id AND user_id RETURNING`; None return ⇒ no row ⇒ 404. Handlers use these directly; existing `upsert` stays for test helpers that genuinely want upsert semantics. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 22:00:04 +02:00
MechaCat02	b7175cc581	chore: rustfmt fixups for app_members files Trailing-comma format! cleanup from `cargo fmt --all`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 21:39:25 +02:00
MechaCat02	85bbabcbdf	feat(api): app members CRUD endpoints Adds /api/v1/admin/apps/{id_or_slug}/members[/{user_id}]: - GET list members (joined with admin_users via list_for_app_enriched) - POST grant membership — 201 with enriched DTO 409 on duplicate (promotions go through PATCH on purpose so the UI can surface "already a member" cleanly) 422 if the target user is deactivated 422 if the target's instance_role isn't `member` — owners and admins already have implicit authority, so an explicit row would be dead weight - PATCH change role — 200 with enriched DTO 404 if no existing membership (use POST to create) - DELETE remove — 204, idempotent (matches the repo's `remove` contract; 204 also when the row never existed) All four gated on `Capability::AppAdmin(app_id)`. Editors and viewers get 403 from list and never see the dashboard's Members tab. No last-app-admin guard: owners implicitly satisfy AppAdmin via `role_grants`, so removing the last explicit app_admin row cannot permanently orphan an app — an owner can always re-issue grants. Wires through picloud/src/lib.rs by splitting the Postgres app_members repo Arc into two trait views (AppMembersRepository for CRUD, AuthzRepo for the existing capability lookups) without re-instantiating against the pool. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 21:31:08 +02:00

Author

SHA1

Message

Date

MechaCat02

2948875a96

fix(api): make app_members POST and PATCH atomic

The previous handlers did `find()` then `upsert()` in two round-trips:

- POST: two concurrent grants both pass the duplicate check; the
  second `upsert` silently rewrites the role instead of returning
  409, weakening the "409 on duplicate" contract under load.
- PATCH: a concurrent DELETE between `find` and `upsert` makes PATCH
  silently re-create a row instead of returning 404, weakening the
  "404 if no existing membership" contract.

Adds two repo primitives that fold the check into the write:

- `try_insert` — `INSERT ... ON CONFLICT DO NOTHING RETURNING`; None
  return ⇒ already exists ⇒ 409.
- `update_role` — `UPDATE ... WHERE app_id AND user_id RETURNING`;
  None return ⇒ no row ⇒ 404.

Handlers use these directly; existing `upsert` stays for test helpers
that genuinely want upsert semantics.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-27 22:00:04 +02:00

MechaCat02

b7175cc581

chore: rustfmt fixups for app_members files

Trailing-comma format! cleanup from `cargo fmt --all`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-27 21:39:25 +02:00

MechaCat02

85bbabcbdf

feat(api): app members CRUD endpoints

Adds /api/v1/admin/apps/{id_or_slug}/members[/{user_id}]:

- GET    list members (joined with admin_users via list_for_app_enriched)
- POST   grant membership — 201 with enriched DTO
         409 on duplicate (promotions go through PATCH on purpose so
         the UI can surface "already a member" cleanly)
         422 if the target user is deactivated
         422 if the target's instance_role isn't `member` — owners and
         admins already have implicit authority, so an explicit row
         would be dead weight
- PATCH  change role — 200 with enriched DTO
         404 if no existing membership (use POST to create)
- DELETE remove — 204, idempotent (matches the repo's `remove`
         contract; 204 also when the row never existed)

All four gated on `Capability::AppAdmin(app_id)`. Editors and viewers
get 403 from list and never see the dashboard's Members tab.

No last-app-admin guard: owners implicitly satisfy AppAdmin via
`role_grants`, so removing the last explicit app_admin row cannot
permanently orphan an app — an owner can always re-issue grants.

Wires through picloud/src/lib.rs by splitting the Postgres app_members
repo Arc into two trait views (AppMembersRepository for CRUD, AuthzRepo
for the existing capability lookups) without re-instantiating against
the pool.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-27 21:31:08 +02:00

3 Commits