tududi/backend/services/execAction.js

const { sequelize, Action } = require('../models');
const { isAdmin } = require('./rolesService');
const { applyPerms } = require('./applyPerms');
const { calculateProjectPerms, calculateTaskPerms, calculateNotePerms, calculateAreaPerms, calculateTagPerms } = require('./permissionsCalculators');

async function assertActorCanShare(actorUserId, resourceType, resourceOwnerId) {
  if (await isAdmin(actorUserId)) return;
  if (resourceOwnerId !== actorUserId) {
    const err = new Error('Forbidden');
    err.status = 403;
    throw err;
  }
}

async function execAction(action) {
  // action: { verb, actorUserId, targetUserId, resourceType, resourceUid, accessLevel? }
  return await sequelize.transaction(async (tx) => {
    // Resolve owner id for authorization (basic impl for projects; extend later)
    let ownerUserId = null;
    if (action.resourceType === 'project') {
      const { Project } = require('../models');
      const proj = await Project.findOne({ where: { uid: action.resourceUid }, attributes: ['user_id'], transaction: tx, lock: tx.LOCK.UPDATE });
      if (!proj) {
        const err = new Error('Resource not found');
        err.status = 404;
        throw err;
      }
      ownerUserId = proj.user_id;
    }

    await assertActorCanShare(action.actorUserId, action.resourceType, ownerUserId);

    const actionRow = await Action.create({
      actor_user_id: action.actorUserId,
      verb: action.verb,
      resource_type: action.resourceType,
      resource_uid: action.resourceUid,
      target_user_id: action.targetUserId,
      access_level: action.accessLevel || null,
      metadata: null,
    }, { transaction: tx });

    let changes = { upserts: [], deletes: [] };
    const ctx = { tx };

    if (action.resourceType === 'project') {
      changes = await calculateProjectPerms(ctx, action);
    } else if (action.resourceType === 'task') {
      changes = await calculateTaskPerms(ctx, action);
    } else if (action.resourceType === 'note') {
      changes = await calculateNotePerms(ctx, action);
    } else if (action.resourceType === 'area') {
      changes = await calculateAreaPerms(ctx, action);
    } else if (action.resourceType === 'tag') {
      changes = await calculateTagPerms(ctx, action);
    }

    // Attach source_action_id
    changes.upserts = changes.upserts.map((u) => ({ ...u, source_action_id: actionRow.id }));

    await applyPerms(tx, changes);

    return actionRow.id;
  });
}

module.exports = { execAction };