9ede795c5b
Enforce workspace isolation at every layer: - Router: move RequireWorkspaceMember middleware to group level so ALL workspace-scoped routes (issues, agents, skills, runtimes, inbox, comments) require workspace context - SQL: add GetXxxInWorkspace queries that filter by workspace_id, eliminating cross-workspace data access at the query level - Handlers: loadXForUser functions use workspace-scoped queries, no fallback to unscoped queries - Migration 025: add workspace_id column to comment table with backfill - ListComments: add workspace_id filter for defense-in-depth Fix daemon workspace mapping: - Server returns workspace_id in task claim response (from issue) - Daemon uses task.WorkspaceID directly instead of unreliable workspaceIDForRuntime() local map lookup - Remove workspaceIDForRuntime function Fix agent/human parity: - Comment update/delete: use resolveActor for isAuthor check so agents can edit/delete their own comments - Event attribution: replace hardcoded "member" with resolveActor in agent, skill, and subscriber publish calls Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
148 lines
4.2 KiB
Go
148 lines
4.2 KiB
Go
package handler
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
db "github.com/multica-ai/multica/server/pkg/db/generated"
|
|
"github.com/multica-ai/multica/server/pkg/protocol"
|
|
)
|
|
|
|
// SubscriberResponse is the JSON shape returned for each issue subscriber.
|
|
type SubscriberResponse struct {
|
|
IssueID string `json:"issue_id"`
|
|
UserType string `json:"user_type"`
|
|
UserID string `json:"user_id"`
|
|
Reason string `json:"reason"`
|
|
CreatedAt string `json:"created_at"`
|
|
}
|
|
|
|
func subscriberToResponse(s db.IssueSubscriber) SubscriberResponse {
|
|
return SubscriberResponse{
|
|
IssueID: uuidToString(s.IssueID),
|
|
UserType: s.UserType,
|
|
UserID: uuidToString(s.UserID),
|
|
Reason: s.Reason,
|
|
CreatedAt: timestampToString(s.CreatedAt),
|
|
}
|
|
}
|
|
|
|
// ListIssueSubscribers returns all subscribers for an issue.
|
|
func (h *Handler) ListIssueSubscribers(w http.ResponseWriter, r *http.Request) {
|
|
issueID := chi.URLParam(r, "id")
|
|
issue, ok := h.loadIssueForUser(w, r, issueID)
|
|
if !ok {
|
|
return
|
|
}
|
|
|
|
subscribers, err := h.Queries.ListIssueSubscribers(r.Context(), issue.ID)
|
|
if err != nil {
|
|
writeError(w, http.StatusInternalServerError, "failed to list subscribers")
|
|
return
|
|
}
|
|
|
|
resp := make([]SubscriberResponse, len(subscribers))
|
|
for i, s := range subscribers {
|
|
resp[i] = subscriberToResponse(s)
|
|
}
|
|
|
|
writeJSON(w, http.StatusOK, resp)
|
|
}
|
|
|
|
// SubscribeToIssue subscribes a user to an issue with reason "manual".
|
|
// If request body contains user_id, subscribes that user; otherwise subscribes the caller.
|
|
func (h *Handler) SubscribeToIssue(w http.ResponseWriter, r *http.Request) {
|
|
issueID := chi.URLParam(r, "id")
|
|
issue, ok := h.loadIssueForUser(w, r, issueID)
|
|
if !ok {
|
|
return
|
|
}
|
|
|
|
// Default to current user as member; allow specifying another user/agent
|
|
targetUserID := requestUserID(r)
|
|
targetUserType := "member"
|
|
var req struct {
|
|
UserID *string `json:"user_id"`
|
|
UserType *string `json:"user_type"`
|
|
}
|
|
if r.Body != nil {
|
|
json.NewDecoder(r.Body).Decode(&req)
|
|
}
|
|
if req.UserID != nil && *req.UserID != "" {
|
|
targetUserID = *req.UserID
|
|
}
|
|
if req.UserType != nil && *req.UserType != "" {
|
|
targetUserType = *req.UserType
|
|
}
|
|
|
|
err := h.Queries.AddIssueSubscriber(r.Context(), db.AddIssueSubscriberParams{
|
|
IssueID: issue.ID,
|
|
UserType: targetUserType,
|
|
UserID: parseUUID(targetUserID),
|
|
Reason: "manual",
|
|
})
|
|
if err != nil {
|
|
writeError(w, http.StatusInternalServerError, "failed to subscribe")
|
|
return
|
|
}
|
|
|
|
workspaceID := uuidToString(issue.WorkspaceID)
|
|
callerID := requestUserID(r)
|
|
subActorType, subActorID := h.resolveActor(r, callerID, workspaceID)
|
|
h.publish(protocol.EventSubscriberAdded, workspaceID, subActorType, subActorID, map[string]any{
|
|
"issue_id": issueID,
|
|
"user_type": targetUserType,
|
|
"user_id": targetUserID,
|
|
"reason": "manual",
|
|
})
|
|
|
|
writeJSON(w, http.StatusOK, map[string]bool{"subscribed": true})
|
|
}
|
|
|
|
// UnsubscribeFromIssue removes a user's subscription from an issue.
|
|
// If request body contains user_id, unsubscribes that user; otherwise unsubscribes the caller.
|
|
func (h *Handler) UnsubscribeFromIssue(w http.ResponseWriter, r *http.Request) {
|
|
issueID := chi.URLParam(r, "id")
|
|
issue, ok := h.loadIssueForUser(w, r, issueID)
|
|
if !ok {
|
|
return
|
|
}
|
|
|
|
targetUserID := requestUserID(r)
|
|
targetUserType := "member"
|
|
var req struct {
|
|
UserID *string `json:"user_id"`
|
|
UserType *string `json:"user_type"`
|
|
}
|
|
if r.Body != nil {
|
|
json.NewDecoder(r.Body).Decode(&req)
|
|
}
|
|
if req.UserID != nil && *req.UserID != "" {
|
|
targetUserID = *req.UserID
|
|
}
|
|
if req.UserType != nil && *req.UserType != "" {
|
|
targetUserType = *req.UserType
|
|
}
|
|
|
|
err := h.Queries.RemoveIssueSubscriber(r.Context(), db.RemoveIssueSubscriberParams{
|
|
IssueID: issue.ID,
|
|
UserType: targetUserType,
|
|
UserID: parseUUID(targetUserID),
|
|
})
|
|
if err != nil {
|
|
writeError(w, http.StatusInternalServerError, "failed to unsubscribe")
|
|
return
|
|
}
|
|
|
|
workspaceID := uuidToString(issue.WorkspaceID)
|
|
callerID := requestUserID(r)
|
|
unsubActorType, unsubActorID := h.resolveActor(r, callerID, workspaceID)
|
|
h.publish(protocol.EventSubscriberRemoved, workspaceID, unsubActorType, unsubActorID, map[string]any{
|
|
"issue_id": issueID,
|
|
"user_type": targetUserType,
|
|
"user_id": targetUserID,
|
|
})
|
|
|
|
writeJSON(w, http.StatusOK, map[string]bool{"subscribed": false})
|
|
}
|