Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b82b90d2f5542114c4e7f5e5ab78d42c3ceb6e20
Void-Homelab/lib/api/routes/projects.js
root 56805053f0 feat(api): capability enforcement on writes 
Add lib/api/cap.js: requireWrite(entity_type) maps HTTP method to
action, runs canAct, and tags req.capTier as allow|suggest|deny→403.
Mutating routes (pages, projects, tasks, refs, resources, source_docs)
now check req.capTier and either run the repo (allow) or divert to
pending_changes returning 202 (suggest). Owner and worker actors stay
on the allow path. requireOwner helper added for Task 11.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-31 21:03:52 +10:00

98 lines
3.3 KiB
JavaScript
Raw Blame History

import { Router } from 'express';
import { z } from 'zod';
import * as repo from '../../db/repos/projects.js';
import { validate } from '../validate.js';
import { NotFoundError, ValidationError, asyncWrap } from '../errors.js';
import { requireWrite, divertToPending } from '../cap.js';
const STATUSES = ['idea', 'active', 'paused', 'done', 'abandoned'];
const createSchema = z.object({
slug: z.string().min(1).max(64).regex(/^[a-z0-9-]+$/),
name: z.string().min(1).max(200),
description: z.string().optional(),
status: z.enum(STATUSES).optional(),
started_at: z.string().datetime().nullable().optional()
});
const patchSchema = z.object({
slug: z.string().min(1).max(64).regex(/^[a-z0-9-]+$/).optional(),
name: z.string().min(1).max(200).optional(),
description: z.string().nullable().optional(),
status: z.enum(STATUSES).optional(),
started_at: z.string().datetime().nullable().optional(),
completed_at: z.string().datetime().nullable().optional()
});
const idParams = z.object({ id: z.string().uuid() });
const spaceParams = z.object({ space_id: z.string().uuid() });
export const spacesScopedRouter = Router({ mergeParams: true });
export const router = Router();
spacesScopedRouter.get('/',
validate({ params: spaceParams, query: z.object({ status: z.enum(STATUSES).optional() }) }),
asyncWrap(async (req, res) => {
res.json(await repo.listBySpace(req.params.space_id, { status: req.validatedQuery.status }));
})
);
spacesScopedRouter.post('/',
requireWrite('project'),
validate({ params: spaceParams, body: createSchema }),
asyncWrap(async (req, res) => {
const payload = { ...req.body, space_id: req.params.space_id };
if (req.capTier === 'suggest') {
return divertToPending(req, res, { entity_type: 'project', action: 'create', payload });
}
try {
const row = await repo.create(payload, req.actor);
res.status(201).json(row);
} catch (e) {
if (e.code === '23503') throw new ValidationError('invalid space', { space_id: req.params.space_id });
throw e;
}
})
);
router.get('/:id',
validate({ params: idParams }),
asyncWrap(async (req, res) => {
const row = await repo.getById(req.params.id);
if (!row) throw new NotFoundError('project not found');
res.json(row);
})
);
router.patch('/:id',
requireWrite('project'),
validate({ params: idParams, body: patchSchema }),
asyncWrap(async (req, res) => {
const existing = await repo.getById(req.params.id);
if (!existing) throw new NotFoundError('project not found');
if (req.capTier === 'suggest') {
return divertToPending(req, res, {
entity_type: 'project', entity_id: req.params.id, action: 'update', payload: req.body
});
}
const row = await repo.update(req.params.id, req.body, req.actor);
res.json(row);
})
);
router.delete('/:id',
requireWrite('project'),
validate({ params: idParams }),
asyncWrap(async (req, res) => {
const existing = await repo.getById(req.params.id);
if (!existing) throw new NotFoundError('project not found');
if (req.capTier === 'suggest') {
return divertToPending(req, res, {
entity_type: 'project', entity_id: req.params.id, action: 'delete', payload: {}
});
}
await repo.del(req.params.id, req.actor);
res.status(204).end();
})
);
Reference in New Issue View Git Blame Copy Permalink