feat: ProductMember — team management for product backlogs

- Add ProductMember model (many-to-many User ↔ Product) - Add productAccessFilter helper (owner OR member OR clause) - Replace all ownership checks across actions and API routes - Add addProductMemberAction / removeProductMemberAction / leaveProductAction - Add TeamManager component in product settings (owner adds/removes Developers) - Add LeaveProductButton in user settings (member leaves a product team) - Regenerate Prisma Client after schema migration Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 13:09:44 +02:00 · 2026-04-25 13:09:44 +02:00 · 357b1e32e8
commit 357b1e32e8
parent fc12e3cc64
18 changed files with 370 additions and 82 deletions
--- a/app/api/tasks/[id]/route.ts
+++ b/app/api/tasks/[id]/route.ts
@ -1,10 +1,16 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
+import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'

-const patchSchema = z.object({
-  status: z.enum(['TO_DO', 'IN_PROGRESS', 'DONE']),
-})
+const patchSchema = z
+  .object({
+    status: z.enum(['TO_DO', 'IN_PROGRESS', 'DONE']).optional(),
+    implementation_plan: z.string().optional(),
+  })
+  .refine((data) => data.status !== undefined || data.implementation_plan !== undefined, {
+    message: 'Geef minimaal status of implementation_plan mee',
+  })

 export async function PATCH(
  request: Request,
@ -21,15 +27,11 @@ export async function PATCH(
  const { id } = await params

  const task = await prisma.task.findFirst({
-    where: { id },
-    include: { story: { include: { product: true } } },
+    where: { id, story: { product: productAccessFilter(auth.userId) } },
  })
  if (!task) {
    return Response.json({ error: 'Taak niet gevonden' }, { status: 404 })
  }
-  if (task.story.product.user_id !== auth.userId) {
-    return Response.json({ error: 'Geen toegang' }, { status: 403 })
-  }

  const body = await request.json().catch(() => null)
  const parsed = patchSchema.safeParse(body)
@ -39,8 +41,17 @@ export async function PATCH(

  const updated = await prisma.task.update({
    where: { id },
-    data: { status: parsed.data.status },
+    data: {
+      ...(parsed.data.status !== undefined && { status: parsed.data.status }),
+      ...(parsed.data.implementation_plan !== undefined && {
+        implementation_plan: parsed.data.implementation_plan,
+      }),
+    },
  })

-  return Response.json({ id: updated.id, status: updated.status })
+  return Response.json({
+    id: updated.id,
+    status: updated.status,
+    implementation_plan: updated.implementation_plan,
+  })
 }