fix(workspace): permission enforcement, invite auto-create, switch clears stores

- DeleteAgent: require owner/admin role (was member-only check) - ListAgentTasks: add workspace membership verification (was unauthenticated) - CreateMember: auto-create user if email not found (enables invite flow) - Workspace switch: clear issue/inbox/agent stores before hydrating new data Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 10:46:53 +08:00 · 2026-03-25 10:46:53 +08:00 · 0ea9c38071
commit 0ea9c38071
parent 2c02aa357d
5 changed files with 45 additions and 21 deletions
--- a/server/internal/handler/agent.go
+++ b/server/internal/handler/agent.go
@ -393,6 +393,11 @@ func (h *Handler) DeleteAgent(w http.ResponseWriter, r *http.Request) {
 	}
 	wsID := uuidToString(agent.WorkspaceID)

+	// Require owner or admin role
+	if _, ok := h.requireWorkspaceRole(w, r, wsID, "agent not found", "owner", "admin"); !ok {
+		return
+	}
+
 	err := h.Queries.DeleteAgent(r.Context(), parseUUID(id))
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to delete agent")
@ -406,6 +411,10 @@ func (h *Handler) DeleteAgent(w http.ResponseWriter, r *http.Request) {

 func (h *Handler) ListAgentTasks(w http.ResponseWriter, r *http.Request) {
 	id := chi.URLParam(r, "id")
+	if _, ok := h.loadAgentForUser(w, r, id); !ok {
+		return
+	}
+
 	tasks, err := h.Queries.ListAgentTasks(r.Context(), parseUUID(id))
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to list agent tasks")
--- a/server/internal/handler/workspace.go
+++ b/server/internal/handler/workspace.go
@ -338,11 +338,19 @@ func (h *Handler) CreateMember(w http.ResponseWriter, r *http.Request) {
 	user, err := h.Queries.GetUserByEmail(r.Context(), email)
 	if err != nil {
 		if isNotFound(err) {
-			writeError(w, http.StatusNotFound, "user not found")
+			// Auto-create user with email so they can be invited before signing up
+			user, err = h.Queries.CreateUser(r.Context(), db.CreateUserParams{
+				Name:  email,
+				Email: email,
+			})
+			if err != nil {
+				writeError(w, http.StatusInternalServerError, "failed to create user")
+				return
+			}
+		} else {
+			writeError(w, http.StatusInternalServerError, "failed to load user")
 			return
 		}
-		writeError(w, http.StatusInternalServerError, "failed to load user")
-		return
 	}

 	member, err := h.Queries.CreateMember(r.Context(), db.CreateMemberParams{