fix(issues): board polish — blocked column, drag fix, comment perms, task cleanup

- Add "blocked" to STATUS_ORDER/ALL_STATUSES and board visible columns - Add min-h-[200px] to droppable columns for reliable empty-column drops - Fix card click-vs-drag conflict with pointer-events-none on Link - List view uses STATUS_ORDER from config instead of hardcoded order - Create Issue dialog: add AssigneePicker for assigning on creation - Issue detail page syncs from global useIssueStore for real-time updates - Comment UpdateComment/DeleteComment: add author-or-admin permission check - DeleteIssue: cancel running agent tasks before deletion Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 10:32:25 +08:00 · 2026-03-25 10:32:25 +08:00 · 2c02aa357d
commit 2c02aa357d
parent 9127e543d5
7 changed files with 125 additions and 62 deletions
--- a/server/internal/handler/comment.go
+++ b/server/internal/handler/comment.go
@ -105,6 +105,37 @@ func (h *Handler) CreateComment(w http.ResponseWriter, r *http.Request) {
 func (h *Handler) UpdateComment(w http.ResponseWriter, r *http.Request) {
 	commentId := chi.URLParam(r, "commentId")

+	userID, ok := requireUserID(w, r)
+	if !ok {
+		return
+	}
+
+	// Load comment to check ownership
+	existing, err := h.Queries.GetComment(r.Context(), parseUUID(commentId))
+	if err != nil {
+		writeError(w, http.StatusNotFound, "comment not found")
+		return
+	}
+
+	// Load issue to get workspace
+	issue, err := h.Queries.GetIssue(r.Context(), existing.IssueID)
+	if err != nil {
+		writeError(w, http.StatusNotFound, "comment not found")
+		return
+	}
+
+	member, ok := h.requireWorkspaceMember(w, r, uuidToString(issue.WorkspaceID), "comment not found")
+	if !ok {
+		return
+	}
+
+	isAuthor := existing.AuthorType == "member" && uuidToString(existing.AuthorID) == userID
+	isAdmin := roleAllowed(member.Role, "owner", "admin")
+	if !isAuthor && !isAdmin {
+		writeError(w, http.StatusForbidden, "only comment author or admin can edit")
+		return
+	}
+
 	var req struct {
 		Content string `json:"content"`
 	}
@ -127,18 +158,18 @@ func (h *Handler) UpdateComment(w http.ResponseWriter, r *http.Request) {
 	}

 	resp := commentToResponse(comment)
-	userID := requestUserID(r)
-	workspaceID := ""
-	if issue, err := h.Queries.GetIssue(r.Context(), comment.IssueID); err == nil {
-		workspaceID = uuidToString(issue.WorkspaceID)
-	}
-	h.publish(protocol.EventCommentUpdated, workspaceID, "member", userID, map[string]any{"comment": resp})
+	h.publish(protocol.EventCommentUpdated, uuidToString(issue.WorkspaceID), "member", userID, map[string]any{"comment": resp})
 	writeJSON(w, http.StatusOK, resp)
 }

 func (h *Handler) DeleteComment(w http.ResponseWriter, r *http.Request) {
 	commentId := chi.URLParam(r, "commentId")

+	userID, ok := requireUserID(w, r)
+	if !ok {
+		return
+	}
+
 	// Get the comment first to know the issue_id for the broadcast
 	comment, err := h.Queries.GetComment(r.Context(), parseUUID(commentId))
 	if err != nil {
@ -146,17 +177,31 @@ func (h *Handler) DeleteComment(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// Load issue to get workspace
+	issue, err := h.Queries.GetIssue(r.Context(), comment.IssueID)
+	if err != nil {
+		writeError(w, http.StatusNotFound, "comment not found")
+		return
+	}
+
+	member, ok := h.requireWorkspaceMember(w, r, uuidToString(issue.WorkspaceID), "comment not found")
+	if !ok {
+		return
+	}
+
+	isAuthor := comment.AuthorType == "member" && uuidToString(comment.AuthorID) == userID
+	isAdmin := roleAllowed(member.Role, "owner", "admin")
+	if !isAuthor && !isAdmin {
+		writeError(w, http.StatusForbidden, "only comment author or admin can delete")
+		return
+	}
+
 	if err := h.Queries.DeleteComment(r.Context(), parseUUID(commentId)); err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to delete comment")
 		return
 	}

-	userID := requestUserID(r)
-	workspaceID := ""
-	if issue, err := h.Queries.GetIssue(r.Context(), comment.IssueID); err == nil {
-		workspaceID = uuidToString(issue.WorkspaceID)
-	}
-	h.publish(protocol.EventCommentDeleted, workspaceID, "member", userID, map[string]any{
+	h.publish(protocol.EventCommentDeleted, uuidToString(issue.WorkspaceID), "member", userID, map[string]any{
 		"comment_id": commentId,
 		"issue_id":   uuidToString(comment.IssueID),
 	})