feat: ProductMember — team management for product backlogs

- Add ProductMember model (many-to-many User ↔ Product) - Add productAccessFilter helper (owner OR member OR clause) - Replace all ownership checks across actions and API routes - Add addProductMemberAction / removeProductMemberAction / leaveProductAction - Add TeamManager component in product settings (owner adds/removes Developers) - Add LeaveProductButton in user settings (member leaves a product team) - Regenerate Prisma Client after schema migration Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 13:09:44 +02:00 · 2026-04-25 13:09:44 +02:00 · 357b1e32e8
commit 357b1e32e8
parent fc12e3cc64
18 changed files with 370 additions and 82 deletions
--- a/actions/pbis.ts
+++ b/actions/pbis.ts
@ -6,15 +6,12 @@ import { getIronSession } from 'iron-session'
 import { z } from 'zod'
 import { prisma } from '@/lib/prisma'
 import { SessionData, sessionOptions } from '@/lib/session'
+import { getAccessibleProduct } from '@/lib/product-access'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
 }

-async function verifyProductOwnership(productId: string, userId: string) {
-  return prisma.product.findFirst({ where: { id: productId, user_id: userId } })
-}
-
 const createPbiSchema = z.object({
  productId: z.string(),
  title: z.string().min(1, 'Titel is verplicht').max(200),
@ -40,7 +37,7 @@ export async function createPbiAction(_prevState: unknown, formData: FormData) {
  })
  if (!parsed.success) return { error: parsed.error.flatten().fieldErrors }

-  const product = await verifyProductOwnership(parsed.data.productId, session.userId)
+  const product = await getAccessibleProduct(parsed.data.productId, session.userId)
  if (!product) return { error: 'Product niet gevonden' }

  const last = await prisma.pbi.findFirst({
@ -79,7 +76,9 @@ export async function updatePbiAction(_prevState: unknown, formData: FormData) {
    where: { id: parsed.data.id },
    include: { product: true },
  })
-  if (!pbi || pbi.product.user_id !== session.userId) return { error: 'PBI niet gevonden' }
+  if (!pbi) return { error: 'PBI niet gevonden' }
+  const accessible = await getAccessibleProduct(pbi.product_id, session.userId)
+  if (!accessible) return { error: 'PBI niet gevonden' }

  await prisma.pbi.update({
    where: { id: parsed.data.id },
@ -103,7 +102,9 @@ export async function deletePbiAction(id: string) {
    where: { id },
    include: { product: true },
  })
-  if (!pbi || pbi.product.user_id !== session.userId) return { error: 'PBI niet gevonden' }
+  if (!pbi) return { error: 'PBI niet gevonden' }
+  const accessible = await getAccessibleProduct(pbi.product_id, session.userId)
+  if (!accessible) return { error: 'PBI niet gevonden' }

  await prisma.pbi.delete({ where: { id } })

--- a/actions/products.ts
+++ b/actions/products.ts
@ -7,6 +7,7 @@ import { getIronSession } from 'iron-session'
 import { z } from 'zod'
 import { prisma } from '@/lib/prisma'
 import { SessionData, sessionOptions } from '@/lib/session'
+import { Role } from '@prisma/client'

 const productSchema = z.object({
  name: z.string().min(1, 'Naam is verplicht').max(100, 'Naam mag maximaal 100 tekens bevatten'),
@ -137,3 +138,64 @@ export async function restoreProductAction(id: string) {
  revalidatePath('/dashboard')
  return { success: true }
 }
+
+export async function addProductMemberAction(_prevState: unknown, formData: FormData) {
+  const session = await getSession()
+  if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
+
+  const productId = formData.get('productId') as string
+  const username = (formData.get('username') as string)?.trim().toLowerCase()
+
+  if (!username) return { error: 'Gebruikersnaam is verplicht' }
+
+  const product = await prisma.product.findFirst({ where: { id: productId, user_id: session.userId } })
+  if (!product) return { error: 'Product niet gevonden of geen eigenaar' }
+
+  const targetUser = await prisma.user.findUnique({
+    where: { username },
+    include: { roles: true },
+  })
+  if (!targetUser) return { error: 'Gebruiker niet gevonden' }
+  if (targetUser.is_demo) return { error: 'Demo-gebruiker kan niet worden toegevoegd' }
+  if (targetUser.id === session.userId) return { error: 'Je bent al eigenaar van dit product' }
+
+  const hasDeveloperRole = targetUser.roles.some(r => r.role === Role.DEVELOPER)
+  if (!hasDeveloperRole) return { error: `Gebruiker "${username}" heeft geen Developer-rol` }
+
+  const existing = await prisma.productMember.findUnique({
+    where: { product_id_user_id: { product_id: productId, user_id: targetUser.id } },
+  })
+  if (existing) return { error: 'Gebruiker is al lid van dit product' }
+
+  await prisma.productMember.create({
+    data: { product_id: productId, user_id: targetUser.id },
+  })
+
+  revalidatePath(`/products/${productId}/settings`)
+  return { success: true }
+}
+
+export async function removeProductMemberAction(productId: string, memberId: string) {
+  const session = await getSession()
+  if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
+
+  const product = await prisma.product.findFirst({ where: { id: productId, user_id: session.userId } })
+  if (!product) return { error: 'Product niet gevonden of geen eigenaar' }
+
+  await prisma.productMember.deleteMany({ where: { product_id: productId, user_id: memberId } })
+
+  revalidatePath(`/products/${productId}/settings`)
+  return { success: true }
+}
+
+export async function leaveProductAction(productId: string) {
+  const session = await getSession()
+  if (!session.userId) return { error: 'Niet ingelogd' }
+
+  await prisma.productMember.deleteMany({ where: { product_id: productId, user_id: session.userId } })
+
+  revalidatePath('/settings')
+  return { success: true }
+}
--- a/actions/sprints.ts
+++ b/actions/sprints.ts
@ -6,17 +6,12 @@ import { getIronSession } from 'iron-session'
 import { z } from 'zod'
 import { prisma } from '@/lib/prisma'
 import { SessionData, sessionOptions } from '@/lib/session'
+import { getAccessibleProduct, productAccessFilter } from '@/lib/product-access'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
 }

-async function verifyProductOwnership(productId: string, userId: string) {
-  return prisma.product.findFirst({ where: { id: productId, user_id: userId } })
-}
-
-// --- Sprint ---
-
 export async function createSprintAction(_prevState: unknown, formData: FormData) {
  const session = await getSession()
  if (!session.userId) return { error: 'Niet ingelogd' }
@ -31,7 +26,7 @@ export async function createSprintAction(_prevState: unknown, formData: FormData
  })
  if (!parsed.success) return { error: parsed.error.flatten().fieldErrors }

-  const product = await verifyProductOwnership(parsed.data.productId, session.userId)
+  const product = await getAccessibleProduct(parsed.data.productId, session.userId)
  if (!product) return { error: 'Product niet gevonden' }

  const existing = await prisma.sprint.findFirst({
@ -61,7 +56,7 @@ export async function updateSprintGoalAction(_prevState: unknown, formData: Form
  if (!sprint_goal?.trim()) return { error: 'Sprint Goal is verplicht' }

  const sprint = await prisma.sprint.findFirst({
-    where: { id, product: { user_id: session.userId } },
+    where: { id, product: productAccessFilter(session.userId) },
  })
  if (!sprint) return { error: 'Sprint niet gevonden' }

@ -76,16 +71,15 @@ export async function addStoryToSprintAction(sprintId: string, storyId: string)
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

  const sprint = await prisma.sprint.findFirst({
-    where: { id: sprintId, product: { user_id: session.userId } },
+    where: { id: sprintId, product: productAccessFilter(session.userId) },
  })
  if (!sprint) return { error: 'Sprint niet gevonden' }

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: session.userId } },
+    where: { id: storyId, product: productAccessFilter(session.userId) },
  })
  if (!story) return { error: 'Story niet gevonden' }

-  // Sort order = last in sprint + 1
  const last = await prisma.story.findFirst({
    where: { sprint_id: sprintId },
    orderBy: { sort_order: 'desc' },
@ -107,20 +101,18 @@ export async function removeStoryFromSprintAction(storyId: string) {
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: session.userId } },
+    where: { id: storyId, product: productAccessFilter(session.userId) },
    include: { sprint: true },
  })
  if (!story) return { error: 'Story niet gevonden' }

-  const productId = story.product_id
-
  await prisma.story.update({
    where: { id: storyId },
    data: { sprint_id: null, status: 'OPEN' },
  })

-  revalidatePath(`/products/${productId}/sprint`)
-  revalidatePath(`/products/${productId}`)
+  revalidatePath(`/products/${story.product_id}/sprint`)
+  revalidatePath(`/products/${story.product_id}`)
  return { success: true }
 }

@ -130,7 +122,7 @@ export async function reorderSprintStoriesAction(sprintId: string, orderedIds: s
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

  const sprint = await prisma.sprint.findFirst({
-    where: { id: sprintId, product: { user_id: session.userId } },
+    where: { id: sprintId, product: productAccessFilter(session.userId) },
  })
  if (!sprint) return { error: 'Sprint niet gevonden' }

@ -153,12 +145,11 @@ export async function completeSprintAction(
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

  const sprint = await prisma.sprint.findFirst({
-    where: { id: sprintId, product: { user_id: session.userId } },
+    where: { id: sprintId, product: productAccessFilter(session.userId) },
  })
  if (!sprint) return { error: 'Sprint niet gevonden' }

  await prisma.$transaction([
-    // Update all story statuses based on decisions
    ...Object.entries(decisions).map(([storyId, status]) =>
      prisma.story.update({
        where: { id: storyId },
@ -168,7 +159,6 @@ export async function completeSprintAction(
        },
      })
    ),
-    // Close the sprint
    prisma.sprint.update({
      where: { id: sprintId },
      data: { status: 'COMPLETED', completed_at: new Date() },
--- a/actions/stories.ts
+++ b/actions/stories.ts
@ -6,14 +6,15 @@ import { getIronSession } from 'iron-session'
 import { z } from 'zod'
 import { prisma } from '@/lib/prisma'
 import { SessionData, sessionOptions } from '@/lib/session'
+import { getAccessibleProduct, productAccessFilter } from '@/lib/product-access'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
 }

-async function verifyStoryOwnership(storyId: string, userId: string) {
+async function verifyStoryAccess(storyId: string, userId: string) {
  return prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: userId } },
+    where: { id: storyId, product: productAccessFilter(userId) },
    include: { product: true },
  })
 }
@ -46,9 +47,8 @@ export async function createStoryAction(_prevState: unknown, formData: FormData)
  })
  if (!parsed.success) return { error: parsed.error.flatten().fieldErrors }

-  // Verify ownership via product
  const pbi = await prisma.pbi.findFirst({
-    where: { id: parsed.data.pbiId, product: { user_id: session.userId } },
+    where: { id: parsed.data.pbiId, product: productAccessFilter(session.userId) },
  })
  if (!pbi) return { error: 'PBI niet gevonden' }

@ -87,7 +87,7 @@ export async function updateStoryAction(_prevState: unknown, formData: FormData)
  })
  if (!parsed.success) return { error: parsed.error.flatten().fieldErrors }

-  const story = await verifyStoryOwnership(parsed.data.id, session.userId)
+  const story = await verifyStoryAccess(parsed.data.id, session.userId)
  if (!story) return { error: 'Story niet gevonden' }

  await prisma.story.update({
@ -109,7 +109,7 @@ export async function deleteStoryAction(id: string) {
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

-  const story = await verifyStoryOwnership(id, session.userId)
+  const story = await verifyStoryAccess(id, session.userId)
  if (!story) return { error: 'Story niet gevonden' }

  await prisma.story.delete({ where: { id } })
@ -123,9 +123,7 @@ export async function reorderPbisAction(productId: string, orderedIds: string[])
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

-  const product = await prisma.product.findFirst({
-    where: { id: productId, user_id: session.userId },
-  })
+  const product = await getAccessibleProduct(productId, session.userId)
  if (!product) return { error: 'Product niet gevonden' }

  await prisma.$transaction(
@ -144,11 +142,10 @@ export async function updatePbiPriorityAction(pbiId: string, priority: number, p
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

  const pbi = await prisma.pbi.findFirst({
-    where: { id: pbiId, product: { user_id: session.userId } },
+    where: { id: pbiId, product: productAccessFilter(session.userId) },
  })
  if (!pbi) return { error: 'PBI niet gevonden' }

-  // Place at the end of the target priority group
  const last = await prisma.pbi.findFirst({
    where: { product_id: productId, priority },
    orderBy: { sort_order: 'desc' },
@ -168,7 +165,7 @@ export async function getStoryLogsAction(storyId: string) {
  if (!session.userId) return { error: 'Niet ingelogd' }

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: session.userId } },
+    where: { id: storyId, product: productAccessFilter(session.userId) },
    include: { product: { select: { repo_url: true } } },
  })
  if (!story) return { error: 'Story niet gevonden' }
@ -204,7 +201,7 @@ export async function reorderStoriesAction(
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

  const pbi = await prisma.pbi.findFirst({
-    where: { id: pbiId, product: { user_id: session.userId } },
+    where: { id: pbiId, product: productAccessFilter(session.userId) },
  })
  if (!pbi) return { error: 'PBI niet gevonden' }

--- a/actions/tasks.ts
+++ b/actions/tasks.ts
@ -6,6 +6,7 @@ import { getIronSession } from 'iron-session'
 import { z } from 'zod'
 import { prisma } from '@/lib/prisma'
 import { SessionData, sessionOptions } from '@/lib/session'
+import { productAccessFilter } from '@/lib/product-access'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
@ -33,7 +34,7 @@ export async function createTaskAction(_prevState: unknown, formData: FormData)
  if (!parsed.success) return { error: parsed.error.flatten().fieldErrors }

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: session.userId } },
+    where: { id: storyId, product: productAccessFilter(session.userId) },
  })
  if (!story) return { error: 'Story niet gevonden' }

@ -72,10 +73,10 @@ export async function updateTaskAction(_prevState: unknown, formData: FormData)
  if (!parsed.success) return { error: parsed.error.flatten().fieldErrors }

  const task = await prisma.task.findFirst({
-    where: { id },
-    include: { story: { include: { product: true } } },
+    where: { id, story: { product: productAccessFilter(session.userId) } },
+    include: { story: true },
  })
-  if (!task || task.story.product.user_id !== session.userId) return { error: 'Taak niet gevonden' }
+  if (!task) return { error: 'Taak niet gevonden' }

  await prisma.task.update({
    where: { id },
@ -92,10 +93,10 @@ export async function updateTaskStatusAction(id: string, status: 'TO_DO' | 'IN_P
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

  const task = await prisma.task.findFirst({
-    where: { id },
-    include: { story: { include: { product: true } } },
+    where: { id, story: { product: productAccessFilter(session.userId) } },
+    include: { story: true },
  })
-  if (!task || task.story.product.user_id !== session.userId) return { error: 'Taak niet gevonden' }
+  if (!task) return { error: 'Taak niet gevonden' }

  await prisma.task.update({ where: { id }, data: { status } })

@ -109,10 +110,10 @@ export async function deleteTaskAction(id: string) {
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

  const task = await prisma.task.findFirst({
-    where: { id },
-    include: { story: { include: { product: true } } },
+    where: { id, story: { product: productAccessFilter(session.userId) } },
+    include: { story: true },
  })
-  if (!task || task.story.product.user_id !== session.userId) return { error: 'Taak niet gevonden' }
+  if (!task) return { error: 'Taak niet gevonden' }

  await prisma.task.delete({ where: { id } })

@ -126,7 +127,7 @@ export async function reorderTasksAction(storyId: string, orderedIds: string[])
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: session.userId } },
+    where: { id: storyId, product: productAccessFilter(session.userId) },
  })
  if (!story) return { error: 'Story niet gevonden' }

--- a/app/(app)/products/[id]/settings/page.tsx
+++ b/app/(app)/products/[id]/settings/page.tsx
@ -5,6 +5,7 @@ import { SessionData, sessionOptions } from '@/lib/session'
 import { prisma } from '@/lib/prisma'
 import { ProductForm } from '@/components/products/product-form'
 import { ArchiveProductButton } from '@/components/products/archive-product-button'
+import { TeamManager } from '@/components/products/team-manager'
 import { updateProductAction } from '@/actions/products'
 import Link from 'next/link'

@ -20,9 +21,17 @@ export default async function ProductSettingsPage({ params }: Props) {

  const product = await prisma.product.findFirst({
    where: { id, user_id: session.userId },
+    include: {
+      members: {
+        include: { user: { select: { id: true, username: true } } },
+        orderBy: { created_at: 'asc' },
+      },
+    },
  })
  if (!product) notFound()

+  const members = product.members.map(m => ({ id: m.user.id, username: m.user.username }))
+
  return (
    <div className="p-6 max-w-2xl mx-auto w-full">
      <div className="flex items-center gap-3 mb-6">
@ -45,7 +54,17 @@ export default async function ProductSettingsPage({ params }: Props) {
        }}
      />

-      <div className="mt-10 pt-6 border-t border-border">
+      <div className="mt-8 pt-6 border-t border-border space-y-3">
+        <div>
+          <h2 className="text-sm font-medium text-foreground">Team</h2>
+          <p className="text-xs text-muted-foreground mt-0.5">
+            Voeg Developers toe die aan dit product mogen werken. Alleen gebruikers met de rol Developer kunnen worden toegevoegd.
+          </p>
+        </div>
+        <TeamManager productId={id} members={members} />
+      </div>
+
+      <div className="mt-8 pt-6 border-t border-border">
        <h2 className="text-sm font-medium text-foreground mb-3">Gevaarlijke zone</h2>
        <div className="bg-error-container/30 border border-error/20 rounded-xl p-4 flex items-center justify-between gap-4">
          <div>
--- a/app/(app)/settings/page.tsx
+++ b/app/(app)/settings/page.tsx
@ -3,14 +3,20 @@ import { getIronSession } from 'iron-session'
 import { SessionData, sessionOptions } from '@/lib/session'
 import { prisma } from '@/lib/prisma'
 import { RoleManager } from '@/components/settings/role-manager'
+import { LeaveProductButton } from '@/components/settings/leave-product-button'
 import Link from 'next/link'

 export default async function SettingsPage() {
  const session = await getIronSession<SessionData>(await cookies(), sessionOptions)

-  const [user, userRoles] = await Promise.all([
+  const [user, userRoles, memberships] = await Promise.all([
    prisma.user.findUnique({ where: { id: session.userId }, select: { username: true } }),
    prisma.userRole.findMany({ where: { user_id: session.userId } }),
+    prisma.productMember.findMany({
+      where: { user_id: session.userId },
+      include: { product: { select: { id: true, name: true, user: { select: { username: true } } } } },
+      orderBy: { created_at: 'asc' },
+    }),
  ])
  const currentRoles = userRoles.map(r => r.role as string)

@ -28,6 +34,28 @@ export default async function SettingsPage() {

      <RoleManager currentRoles={currentRoles} isDemo={session.isDemo ?? false} />

+      {memberships.length > 0 && (
+        <div className="bg-surface-container-low border border-border rounded-xl p-5 space-y-3">
+          <div>
+            <h2 className="text-sm font-medium text-foreground">Mijn teams</h2>
+            <p className="text-xs text-muted-foreground mt-0.5">
+              Products waarbij je als Developer bent toegevoegd.
+            </p>
+          </div>
+          <ul className="space-y-2">
+            {memberships.map(m => (
+              <li key={m.product.id} className="flex items-center justify-between gap-3 rounded-lg bg-surface-container px-3 py-2">
+                <div>
+                  <p className="text-sm font-medium text-foreground">{m.product.name}</p>
+                  <p className="text-xs text-muted-foreground">Eigenaar: {m.product.user.username}</p>
+                </div>
+                {!session.isDemo && <LeaveProductButton productId={m.product.id} />}
+              </li>
+            ))}
+          </ul>
+        </div>
+      )}
+
      <div className="bg-surface-container-low border border-border rounded-xl p-5 space-y-3">
        <div className="flex items-center justify-between">
          <h2 className="text-sm font-medium text-foreground">API Tokens</h2>
--- a/app/api/products/[id]/next-story/route.ts
+++ b/app/api/products/[id]/next-story/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'

 export async function GET(
  request: Request,
@ -13,7 +14,7 @@ export async function GET(
  const { id } = await params

  const sprint = await prisma.sprint.findFirst({
-    where: { product_id: id, status: 'ACTIVE', product: { user_id: auth.userId } },
+    where: { product_id: id, status: 'ACTIVE', product: productAccessFilter(auth.userId) },
  })
  if (!sprint) {
    return Response.json({ error: 'Geen actieve Sprint gevonden' }, { status: 404 })
--- a/app/api/sprints/[id]/tasks/route.ts
+++ b/app/api/sprints/[id]/tasks/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'

 export async function GET(
  request: Request,
@ -16,7 +17,7 @@ export async function GET(
  const limit = Math.min(Math.max(1, limitParam), 50)

  const sprint = await prisma.sprint.findFirst({
-    where: { id, product: { user_id: auth.userId } },
+    where: { id, product: productAccessFilter(auth.userId) },
  })
  if (!sprint) {
    return Response.json({ error: 'Sprint niet gevonden' }, { status: 404 })
--- a/app/api/stories/[id]/log/route.ts
+++ b/app/api/stories/[id]/log/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'

 const logSchema = z.discriminatedUnion('type', [
@ -35,7 +36,7 @@ export async function POST(
  const { id: storyId } = await params

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: auth.userId } },
+    where: { id: storyId, product: productAccessFilter(auth.userId) },
  })
  if (!story) {
    return Response.json({ error: 'Story niet gevonden' }, { status: 404 })
--- a/app/api/stories/[id]/tasks/reorder/route.ts
+++ b/app/api/stories/[id]/tasks/reorder/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'

 const bodySchema = z.object({
@ -27,7 +28,7 @@ export async function PATCH(
  }

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: auth.userId } },
+    where: { id: storyId, product: productAccessFilter(auth.userId) },
    include: { tasks: { select: { id: true } } },
  })
  if (!story) {
--- a/app/api/tasks/[id]/route.ts
+++ b/app/api/tasks/[id]/route.ts
@ -1,10 +1,16 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'

-const patchSchema = z.object({
-  status: z.enum(['TO_DO', 'IN_PROGRESS', 'DONE']),
-})
+const patchSchema = z
+  .object({
+    status: z.enum(['TO_DO', 'IN_PROGRESS', 'DONE']).optional(),
+    implementation_plan: z.string().optional(),
+  })
+  .refine((data) => data.status !== undefined || data.implementation_plan !== undefined, {
+    message: 'Geef minimaal status of implementation_plan mee',
+  })

 export async function PATCH(
  request: Request,
@ -21,15 +27,11 @@ export async function PATCH(
  const { id } = await params

  const task = await prisma.task.findFirst({
-    where: { id },
-    include: { story: { include: { product: true } } },
+    where: { id, story: { product: productAccessFilter(auth.userId) } },
  })
  if (!task) {
    return Response.json({ error: 'Taak niet gevonden' }, { status: 404 })
  }
-  if (task.story.product.user_id !== auth.userId) {
-    return Response.json({ error: 'Geen toegang' }, { status: 403 })
-  }

  const body = await request.json().catch(() => null)
  const parsed = patchSchema.safeParse(body)
@ -39,8 +41,17 @@ export async function PATCH(

  const updated = await prisma.task.update({
    where: { id },
-    data: { status: parsed.data.status },
+    data: {
+      ...(parsed.data.status !== undefined && { status: parsed.data.status }),
+      ...(parsed.data.implementation_plan !== undefined && {
+        implementation_plan: parsed.data.implementation_plan,
+      }),
+    },
  })

-  return Response.json({ id: updated.id, status: updated.status })
+  return Response.json({
+    id: updated.id,
+    status: updated.status,
+    implementation_plan: updated.implementation_plan,
+  })
 }
--- a/components/products/team-manager.tsx
+++ b/components/products/team-manager.tsx
@ -0,0 +1,75 @@
+'use client'
+
+import { useActionState, useState, useTransition } from 'react'
+import { Button } from '@/components/ui/button'
+import { Input } from '@/components/ui/input'
+import { addProductMemberAction, removeProductMemberAction } from '@/actions/products'
+
+interface Member {
+  id: string
+  username: string
+}
+
+interface TeamManagerProps {
+  productId: string
+  members: Member[]
+}
+
+export function TeamManager({ productId, members }: TeamManagerProps) {
+  const [state, formAction, isPending] = useActionState(addProductMemberAction, null)
+  const [removingId, setRemovingId] = useState<string | null>(null)
+  const [, startTransition] = useTransition()
+
+  function handleRemove(memberId: string) {
+    setRemovingId(memberId)
+    startTransition(async () => {
+      await removeProductMemberAction(productId, memberId)
+      setRemovingId(null)
+    })
+  }
+
+  return (
+    <div className="space-y-4">
+      {members.length === 0 ? (
+        <p className="text-sm text-muted-foreground">Nog geen teamleden toegevoegd.</p>
+      ) : (
+        <ul className="space-y-2">
+          {members.map(m => (
+            <li key={m.id} className="flex items-center justify-between gap-3 rounded-lg bg-surface-container px-3 py-2">
+              <span className="text-sm font-medium text-foreground">{m.username}</span>
+              <Button
+                variant="ghost"
+                size="sm"
+                className="text-error hover:bg-error/10 h-7 px-2 text-xs"
+                disabled={removingId === m.id}
+                onClick={() => handleRemove(m.id)}
+              >
+                {removingId === m.id ? 'Verwijderen…' : 'Verwijder'}
+              </Button>
+            </li>
+          ))}
+        </ul>
+      )}
+
+      <form action={formAction} className="flex gap-2">
+        <input type="hidden" name="productId" value={productId} />
+        <Input
+          name="username"
+          placeholder="Gebruikersnaam van Developer"
+          className="flex-1"
+          disabled={isPending}
+        />
+        <Button type="submit" size="sm" disabled={isPending}>
+          {isPending ? 'Toevoegen…' : 'Toevoegen'}
+        </Button>
+      </form>
+
+      {state && 'error' in state && typeof state.error === 'string' && (
+        <p className="text-xs text-error">{state.error}</p>
+      )}
+      {state && 'success' in state && (
+        <p className="text-xs text-success">Teamlid toegevoegd.</p>
+      )}
+    </div>
+  )
+}
--- a/components/settings/leave-product-button.tsx
+++ b/components/settings/leave-product-button.tsx
@ -0,0 +1,44 @@
+'use client'
+
+import { useState, useTransition } from 'react'
+import { Button } from '@/components/ui/button'
+import { leaveProductAction } from '@/actions/products'
+
+interface LeaveProductButtonProps {
+  productId: string
+}
+
+export function LeaveProductButton({ productId }: LeaveProductButtonProps) {
+  const [confirming, setConfirming] = useState(false)
+  const [isPending, startTransition] = useTransition()
+
+  function handleLeave() {
+    startTransition(async () => {
+      await leaveProductAction(productId)
+    })
+  }
+
+  if (confirming) {
+    return (
+      <div className="flex gap-2 shrink-0">
+        <Button variant="destructive" size="sm" disabled={isPending} onClick={handleLeave}>
+          {isPending ? 'Bezig…' : 'Ja, verlaten'}
+        </Button>
+        <Button variant="ghost" size="sm" onClick={() => setConfirming(false)} disabled={isPending}>
+          Annuleren
+        </Button>
+      </div>
+    )
+  }
+
+  return (
+    <Button
+      variant="outline"
+      size="sm"
+      className="shrink-0 border-error/40 text-error hover:bg-error/10"
+      onClick={() => setConfirming(true)}
+    >
+      Verlaten
+    </Button>
+  )
+}
--- a/lib/product-access.ts
+++ b/lib/product-access.ts
@ -0,0 +1,18 @@
+import { prisma } from '@/lib/prisma'
+
+const accessFilter = (userId: string) => ({
+  OR: [
+    { user_id: userId },
+    { members: { some: { user_id: userId } } },
+  ],
+})
+
+export async function getAccessibleProduct(productId: string, userId: string) {
+  return prisma.product.findFirst({
+    where: { id: productId, ...accessFilter(userId) },
+  })
+}
+
+export function productAccessFilter(userId: string) {
+  return accessFilter(userId)
+}
--- a/prisma/migrations/20260425102419_add_task_implementation_plan/migration.sql
+++ b/prisma/migrations/20260425102419_add_task_implementation_plan/migration.sql
@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "tasks" ADD COLUMN     "implementation_plan" TEXT;
--- a/prisma/migrations/20260425110346_add_product_members/migration.sql
+++ b/prisma/migrations/20260425110346_add_product_members/migration.sql
@ -0,0 +1,21 @@
+-- CreateTable
+CREATE TABLE "product_members" (
+    "id" TEXT NOT NULL,
+    "product_id" TEXT NOT NULL,
+    "user_id" TEXT NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "product_members_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "product_members_user_id_idx" ON "product_members"("user_id");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "product_members_product_id_user_id_key" ON "product_members"("product_id", "user_id");
+
+-- AddForeignKey
+ALTER TABLE "product_members" ADD CONSTRAINT "product_members_product_id_fkey" FOREIGN KEY ("product_id") REFERENCES "products"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "product_members" ADD CONSTRAINT "product_members_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@ -41,16 +41,17 @@ enum SprintStatus {
 }

 model User {
-  id            String     @id @default(cuid())
-  username      String     @unique
-  password_hash String
-  is_demo       Boolean    @default(false)
-  created_at    DateTime   @default(now())
-  updated_at    DateTime   @updatedAt
-  roles         UserRole[]
-  api_tokens    ApiToken[]
-  products      Product[]
-  todos         Todo[]
+  id              String          @id @default(cuid())
+  username        String          @unique
+  password_hash   String
+  is_demo         Boolean         @default(false)
+  created_at      DateTime        @default(now())
+  updated_at      DateTime        @updatedAt
+  roles           UserRole[]
+  api_tokens      ApiToken[]
+  products        Product[]
+  todos           Todo[]
+  product_members ProductMember[]

  @@map("users")
 }
@ -79,20 +80,21 @@ model ApiToken {
 }

 model Product {
-  id                 String   @id @default(cuid())
-  user               User     @relation(fields: [user_id], references: [id], onDelete: Cascade)
+  id                 String          @id @default(cuid())
+  user               User            @relation(fields: [user_id], references: [id], onDelete: Cascade)
  user_id            String
  name               String
  description        String?
  repo_url           String?
  definition_of_done String
-  archived           Boolean  @default(false)
-  created_at         DateTime @default(now())
-  updated_at         DateTime @updatedAt
+  archived           Boolean         @default(false)
+  created_at         DateTime        @default(now())
+  updated_at         DateTime        @updatedAt
  pbis               Pbi[]
  sprints            Sprint[]
  stories            Story[]
  todos              Todo[]
+  members            ProductMember[]

  @@unique([user_id, name])
  @@index([user_id, archived])
@ -190,6 +192,19 @@ model Task {
  @@map("tasks")
 }

+model ProductMember {
+  id         String   @id @default(cuid())
+  product    Product  @relation(fields: [product_id], references: [id], onDelete: Cascade)
+  product_id String
+  user       User     @relation(fields: [user_id], references: [id], onDelete: Cascade)
+  user_id    String
+  created_at DateTime @default(now())
+
+  @@unique([product_id, user_id])
+  @@index([user_id])
+  @@map("product_members")
+}
+
 model Todo {
  id         String   @id @default(cuid())
  user       User     @relation(fields: [user_id], references: [id], onDelete: Cascade)