dragonflight

WildDragonLLC/dragonflight

Fork 0

Commit graph

Author	SHA1	Message	Date
Zac	ec026195eb	feat(mam-api,web-ui): per-project RBAC (v2 auth layer) Adds per-project access control on top of the flat v1 auth. admin keeps global access; editor/viewer are scoped to projects granted to them (direct or via group) at view (read-only) or edit (read-write) level. - migration 026: project_access table + access_level enum - src/auth/authz.js: central isAdmin/accessibleProjectIds/projectLevel/ assertProjectAccess - requireAdmin middleware; admin-gate /users, /auth/users, /groups - enforce scoping on projects, assets, bins (list filter + per-resource view/edit + create checks); gate bulk asset maintenance + batch-trim - grant API: GET/POST/DELETE /projects/:id/access - web-ui: hide admin nav for non-admins, admin-route bounce, project "Manage access" modal, rewrite Policies tab - tests: authz, project-access, assets-access (node:test, skip w/o DB) - deferred routers carry TODO(authz) markers; .env.example documents the service-token-needs-admin/grants requirement Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-30 02:37:36 +00:00
ZGaetano	4172b0d70a	rip out entire auth/login flow - remove requireAuth from all route files - delete auth.js, tokens.js, users.js routes - delete auth middleware - remove session middleware and all auth deps from index.js - delete login.html and auth-guard.js from web-ui	2026-05-27 03:39:58 +00:00
claude	90a9e4361a	feat(comments): persistent frame-anchored comments on asset detail - migration 010: asset_comments table (id, asset_id, user_id, body, frame_ms, resolved, timestamps) with index on asset_id+created_at - new routes mounted at /api/v1/assets/:assetId/comments — GET/POST/ PATCH/DELETE with author join (display_name + initials), nullable user_id so comments still attach when AUTH_ENABLED is off - Asset detail loads comments from the API on mount instead of the empty ZAMPP_DATA.COMMENTS seed; addComment POSTs and merges the returned row; resolved-toggle and delete are wired - CommentsList: new trash-icon delete action per comment, helpful empty-state copy ('Add one below to mark a frame'), tooltips on the timestamp and resolved buttons Now editor comments survive page reload, are visible to other users via the same API, and pin reliably to frame_ms (integer) instead of a parsed HH:MM:SS:FF string.	2026-05-23 04:21:11 +00:00

Author

SHA1

Message

Date

Zac

ec026195eb

feat(mam-api,web-ui): per-project RBAC (v2 auth layer)

Adds per-project access control on top of the flat v1 auth. admin keeps
global access; editor/viewer are scoped to projects granted to them (direct
or via group) at view (read-only) or edit (read-write) level.

- migration 026: project_access table + access_level enum
- src/auth/authz.js: central isAdmin/accessibleProjectIds/projectLevel/
  assertProjectAccess
- requireAdmin middleware; admin-gate /users, /auth/users, /groups
- enforce scoping on projects, assets, bins (list filter + per-resource
  view/edit + create checks); gate bulk asset maintenance + batch-trim
- grant API: GET/POST/DELETE /projects/:id/access
- web-ui: hide admin nav for non-admins, admin-route bounce, project
  "Manage access" modal, rewrite Policies tab
- tests: authz, project-access, assets-access (node:test, skip w/o DB)
- deferred routers carry TODO(authz) markers; .env.example documents the
  service-token-needs-admin/grants requirement

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-30 02:37:36 +00:00

ZGaetano

4172b0d70a

rip out entire auth/login flow

- remove requireAuth from all route files
- delete auth.js, tokens.js, users.js routes
- delete auth middleware
- remove session middleware and all auth deps from index.js
- delete login.html and auth-guard.js from web-ui

2026-05-27 03:39:58 +00:00

claude

90a9e4361a

feat(comments): persistent frame-anchored comments on asset detail

- migration 010: asset_comments table (id, asset_id, user_id, body,
  frame_ms, resolved, timestamps) with index on asset_id+created_at
- new routes mounted at /api/v1/assets/:assetId/comments — GET/POST/
  PATCH/DELETE with author join (display_name + initials), nullable
  user_id so comments still attach when AUTH_ENABLED is off
- Asset detail loads comments from the API on mount instead of the
  empty ZAMPP_DATA.COMMENTS seed; addComment POSTs and merges the
  returned row; resolved-toggle and delete are wired
- CommentsList: new trash-icon delete action per comment, helpful
  empty-state copy ('Add one below to mark a frame'), tooltips on
  the timestamp and resolved buttons

Now editor comments survive page reload, are visible to other users
via the same API, and pin reliably to frame_ms (integer) instead of
a parsed HH:MM:SS:FF string.

2026-05-23 04:21:11 +00:00

3 commits