feat: ProductMember — team management for product backlogs

- Add ProductMember model (many-to-many User ↔ Product) - Add productAccessFilter helper (owner OR member OR clause) - Replace all ownership checks across actions and API routes - Add addProductMemberAction / removeProductMemberAction / leaveProductAction - Add TeamManager component in product settings (owner adds/removes Developers) - Add LeaveProductButton in user settings (member leaves a product team) - Regenerate Prisma Client after schema migration Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 13:09:44 +02:00 · 2026-04-25 13:09:44 +02:00 · 357b1e32e8
commit 357b1e32e8
parent fc12e3cc64
18 changed files with 370 additions and 82 deletions
--- a/app/(app)/products/[id]/settings/page.tsx
+++ b/app/(app)/products/[id]/settings/page.tsx
@ -5,6 +5,7 @@ import { SessionData, sessionOptions } from '@/lib/session'
 import { prisma } from '@/lib/prisma'
 import { ProductForm } from '@/components/products/product-form'
 import { ArchiveProductButton } from '@/components/products/archive-product-button'
+import { TeamManager } from '@/components/products/team-manager'
 import { updateProductAction } from '@/actions/products'
 import Link from 'next/link'

@ -20,9 +21,17 @@ export default async function ProductSettingsPage({ params }: Props) {

  const product = await prisma.product.findFirst({
    where: { id, user_id: session.userId },
+    include: {
+      members: {
+        include: { user: { select: { id: true, username: true } } },
+        orderBy: { created_at: 'asc' },
+      },
+    },
  })
  if (!product) notFound()

+  const members = product.members.map(m => ({ id: m.user.id, username: m.user.username }))
+
  return (
    <div className="p-6 max-w-2xl mx-auto w-full">
      <div className="flex items-center gap-3 mb-6">
@ -45,7 +54,17 @@ export default async function ProductSettingsPage({ params }: Props) {
        }}
      />

-      <div className="mt-10 pt-6 border-t border-border">
+      <div className="mt-8 pt-6 border-t border-border space-y-3">
+        <div>
+          <h2 className="text-sm font-medium text-foreground">Team</h2>
+          <p className="text-xs text-muted-foreground mt-0.5">
+            Voeg Developers toe die aan dit product mogen werken. Alleen gebruikers met de rol Developer kunnen worden toegevoegd.
+          </p>
+        </div>
+        <TeamManager productId={id} members={members} />
+      </div>
+
+      <div className="mt-8 pt-6 border-t border-border">
        <h2 className="text-sm font-medium text-foreground mb-3">Gevaarlijke zone</h2>
        <div className="bg-error-container/30 border border-error/20 rounded-xl p-4 flex items-center justify-between gap-4">
          <div>
--- a/app/(app)/settings/page.tsx
+++ b/app/(app)/settings/page.tsx
@ -3,14 +3,20 @@ import { getIronSession } from 'iron-session'
 import { SessionData, sessionOptions } from '@/lib/session'
 import { prisma } from '@/lib/prisma'
 import { RoleManager } from '@/components/settings/role-manager'
+import { LeaveProductButton } from '@/components/settings/leave-product-button'
 import Link from 'next/link'

 export default async function SettingsPage() {
  const session = await getIronSession<SessionData>(await cookies(), sessionOptions)

-  const [user, userRoles] = await Promise.all([
+  const [user, userRoles, memberships] = await Promise.all([
    prisma.user.findUnique({ where: { id: session.userId }, select: { username: true } }),
    prisma.userRole.findMany({ where: { user_id: session.userId } }),
+    prisma.productMember.findMany({
+      where: { user_id: session.userId },
+      include: { product: { select: { id: true, name: true, user: { select: { username: true } } } } },
+      orderBy: { created_at: 'asc' },
+    }),
  ])
  const currentRoles = userRoles.map(r => r.role as string)

@ -28,6 +34,28 @@ export default async function SettingsPage() {

      <RoleManager currentRoles={currentRoles} isDemo={session.isDemo ?? false} />

+      {memberships.length > 0 && (
+        <div className="bg-surface-container-low border border-border rounded-xl p-5 space-y-3">
+          <div>
+            <h2 className="text-sm font-medium text-foreground">Mijn teams</h2>
+            <p className="text-xs text-muted-foreground mt-0.5">
+              Products waarbij je als Developer bent toegevoegd.
+            </p>
+          </div>
+          <ul className="space-y-2">
+            {memberships.map(m => (
+              <li key={m.product.id} className="flex items-center justify-between gap-3 rounded-lg bg-surface-container px-3 py-2">
+                <div>
+                  <p className="text-sm font-medium text-foreground">{m.product.name}</p>
+                  <p className="text-xs text-muted-foreground">Eigenaar: {m.product.user.username}</p>
+                </div>
+                {!session.isDemo && <LeaveProductButton productId={m.product.id} />}
+              </li>
+            ))}
+          </ul>
+        </div>
+      )}
+
      <div className="bg-surface-container-low border border-border rounded-xl p-5 space-y-3">
        <div className="flex items-center justify-between">
          <h2 className="text-sm font-medium text-foreground">API Tokens</h2>
--- a/app/api/products/[id]/next-story/route.ts
+++ b/app/api/products/[id]/next-story/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'

 export async function GET(
  request: Request,
@ -13,7 +14,7 @@ export async function GET(
  const { id } = await params

  const sprint = await prisma.sprint.findFirst({
-    where: { product_id: id, status: 'ACTIVE', product: { user_id: auth.userId } },
+    where: { product_id: id, status: 'ACTIVE', product: productAccessFilter(auth.userId) },
  })
  if (!sprint) {
    return Response.json({ error: 'Geen actieve Sprint gevonden' }, { status: 404 })
--- a/app/api/sprints/[id]/tasks/route.ts
+++ b/app/api/sprints/[id]/tasks/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'

 export async function GET(
  request: Request,
@ -16,7 +17,7 @@ export async function GET(
  const limit = Math.min(Math.max(1, limitParam), 50)

  const sprint = await prisma.sprint.findFirst({
-    where: { id, product: { user_id: auth.userId } },
+    where: { id, product: productAccessFilter(auth.userId) },
  })
  if (!sprint) {
    return Response.json({ error: 'Sprint niet gevonden' }, { status: 404 })
--- a/app/api/stories/[id]/log/route.ts
+++ b/app/api/stories/[id]/log/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'

 const logSchema = z.discriminatedUnion('type', [
@ -35,7 +36,7 @@ export async function POST(
  const { id: storyId } = await params

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: auth.userId } },
+    where: { id: storyId, product: productAccessFilter(auth.userId) },
  })
  if (!story) {
    return Response.json({ error: 'Story niet gevonden' }, { status: 404 })
--- a/app/api/stories/[id]/tasks/reorder/route.ts
+++ b/app/api/stories/[id]/tasks/reorder/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'

 const bodySchema = z.object({
@ -27,7 +28,7 @@ export async function PATCH(
  }

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: auth.userId } },
+    where: { id: storyId, product: productAccessFilter(auth.userId) },
    include: { tasks: { select: { id: true } } },
  })
  if (!story) {
--- a/app/api/tasks/[id]/route.ts
+++ b/app/api/tasks/[id]/route.ts
@ -1,10 +1,16 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'

-const patchSchema = z.object({
-  status: z.enum(['TO_DO', 'IN_PROGRESS', 'DONE']),
-})
+const patchSchema = z
+  .object({
+    status: z.enum(['TO_DO', 'IN_PROGRESS', 'DONE']).optional(),
+    implementation_plan: z.string().optional(),
+  })
+  .refine((data) => data.status !== undefined || data.implementation_plan !== undefined, {
+    message: 'Geef minimaal status of implementation_plan mee',
+  })

 export async function PATCH(
  request: Request,
@ -21,15 +27,11 @@ export async function PATCH(
  const { id } = await params

  const task = await prisma.task.findFirst({
-    where: { id },
-    include: { story: { include: { product: true } } },
+    where: { id, story: { product: productAccessFilter(auth.userId) } },
  })
  if (!task) {
    return Response.json({ error: 'Taak niet gevonden' }, { status: 404 })
  }
-  if (task.story.product.user_id !== auth.userId) {
-    return Response.json({ error: 'Geen toegang' }, { status: 403 })
-  }

  const body = await request.json().catch(() => null)
  const parsed = patchSchema.safeParse(body)
@ -39,8 +41,17 @@ export async function PATCH(

  const updated = await prisma.task.update({
    where: { id },
-    data: { status: parsed.data.status },
+    data: {
+      ...(parsed.data.status !== undefined && { status: parsed.data.status }),
+      ...(parsed.data.implementation_plan !== undefined && {
+        implementation_plan: parsed.data.implementation_plan,
+      }),
+    },
  })

-  return Response.json({ id: updated.id, status: updated.status })
+  return Response.json({
+    id: updated.id,
+    status: updated.status,
+    implementation_plan: updated.implementation_plan,
+  })
 }