feat: ProductMember — team management for product backlogs

- Add ProductMember model (many-to-many User ↔ Product) - Add productAccessFilter helper (owner OR member OR clause) - Replace all ownership checks across actions and API routes - Add addProductMemberAction / removeProductMemberAction / leaveProductAction - Add TeamManager component in product settings (owner adds/removes Developers) - Add LeaveProductButton in user settings (member leaves a product team) - Regenerate Prisma Client after schema migration Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 13:09:44 +02:00 · 2026-04-25 13:09:44 +02:00 · 357b1e32e8
commit 357b1e32e8
parent fc12e3cc64
18 changed files with 370 additions and 82 deletions
--- a/app/api/products/[id]/next-story/route.ts
+++ b/app/api/products/[id]/next-story/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'

 export async function GET(
  request: Request,
@ -13,7 +14,7 @@ export async function GET(
  const { id } = await params

  const sprint = await prisma.sprint.findFirst({
-    where: { product_id: id, status: 'ACTIVE', product: { user_id: auth.userId } },
+    where: { product_id: id, status: 'ACTIVE', product: productAccessFilter(auth.userId) },
  })
  if (!sprint) {
    return Response.json({ error: 'Geen actieve Sprint gevonden' }, { status: 404 })
--- a/app/api/sprints/[id]/tasks/route.ts
+++ b/app/api/sprints/[id]/tasks/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'

 export async function GET(
  request: Request,
@ -16,7 +17,7 @@ export async function GET(
  const limit = Math.min(Math.max(1, limitParam), 50)

  const sprint = await prisma.sprint.findFirst({
-    where: { id, product: { user_id: auth.userId } },
+    where: { id, product: productAccessFilter(auth.userId) },
  })
  if (!sprint) {
    return Response.json({ error: 'Sprint niet gevonden' }, { status: 404 })
--- a/app/api/stories/[id]/log/route.ts
+++ b/app/api/stories/[id]/log/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'

 const logSchema = z.discriminatedUnion('type', [
@ -35,7 +36,7 @@ export async function POST(
  const { id: storyId } = await params

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: auth.userId } },
+    where: { id: storyId, product: productAccessFilter(auth.userId) },
  })
  if (!story) {
    return Response.json({ error: 'Story niet gevonden' }, { status: 404 })
--- a/app/api/stories/[id]/tasks/reorder/route.ts
+++ b/app/api/stories/[id]/tasks/reorder/route.ts
@ -1,5 +1,6 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'

 const bodySchema = z.object({
@ -27,7 +28,7 @@ export async function PATCH(
  }

  const story = await prisma.story.findFirst({
-    where: { id: storyId, product: { user_id: auth.userId } },
+    where: { id: storyId, product: productAccessFilter(auth.userId) },
    include: { tasks: { select: { id: true } } },
  })
  if (!story) {
--- a/app/api/tasks/[id]/route.ts
+++ b/app/api/tasks/[id]/route.ts
@ -1,10 +1,16 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'

-const patchSchema = z.object({
-  status: z.enum(['TO_DO', 'IN_PROGRESS', 'DONE']),
-})
+const patchSchema = z
+  .object({
+    status: z.enum(['TO_DO', 'IN_PROGRESS', 'DONE']).optional(),
+    implementation_plan: z.string().optional(),
+  })
+  .refine((data) => data.status !== undefined || data.implementation_plan !== undefined, {
+    message: 'Geef minimaal status of implementation_plan mee',
+  })

 export async function PATCH(
  request: Request,
@ -21,15 +27,11 @@ export async function PATCH(
  const { id } = await params

  const task = await prisma.task.findFirst({
-    where: { id },
-    include: { story: { include: { product: true } } },
+    where: { id, story: { product: productAccessFilter(auth.userId) } },
  })
  if (!task) {
    return Response.json({ error: 'Taak niet gevonden' }, { status: 404 })
  }
-  if (task.story.product.user_id !== auth.userId) {
-    return Response.json({ error: 'Geen toegang' }, { status: 403 })
-  }

  const body = await request.json().catch(() => null)
  const parsed = patchSchema.safeParse(body)
@ -39,8 +41,17 @@ export async function PATCH(

  const updated = await prisma.task.update({
    where: { id },
-    data: { status: parsed.data.status },
+    data: {
+      ...(parsed.data.status !== undefined && { status: parsed.data.status }),
+      ...(parsed.data.implementation_plan !== undefined && {
+        implementation_plan: parsed.data.implementation_plan,
+      }),
+    },
  })

-  return Response.json({ id: updated.id, status: updated.status })
+  return Response.json({
+    id: updated.id,
+    status: updated.status,
+    implementation_plan: updated.implementation_plan,
+  })
 }