feat: add modal-edit permissions for projects milestones and tasks

app/api/routers/milestones.py

@@ -7,7 +7,7 @@ from typing import List
 
 from app.core.config import get_db
 from app.api.deps import get_current_user_or_apikey
-from app.api.rbac import check_project_role
+from app.api.rbac import check_project_role, ensure_can_edit_milestone
 from app.models import models
 from app.models.milestone import Milestone
 from app.models.task import Task, TaskStatus, TaskPriority
@@ -30,6 +30,7 @@ def _serialize_milestone(milestone):
         "depend_on_milestones": json.loads(milestone.depend_on_milestones) if milestone.depend_on_milestones else [],
         "depend_on_tasks": json.loads(milestone.depend_on_tasks) if milestone.depend_on_tasks else [],
         "project_id": milestone.project_id,
+        "created_by_id": milestone.created_by_id,
         "created_at": milestone.created_at,
         "updated_at": milestone.updated_at,
     }
@@ -58,7 +59,7 @@ def create_milestone(project_id: int, milestone: schemas.MilestoneCreate, db: Se
         data["depend_on_milestones"] = json.dumps(data["depend_on_milestones"])
     if data.get("depend_on_tasks"):
         data["depend_on_tasks"] = json.dumps(data["depend_on_tasks"])
-    db_milestone = Milestone(project_id=project_id, milestone_code=milestone_code, **data)
+    db_milestone = Milestone(project_id=project_id, milestone_code=milestone_code, created_by_id=current_user.id, **data)
     db.add(db_milestone)
     db.commit()
     db.refresh(db_milestone)
@@ -76,10 +77,10 @@ def get_milestone(project_id: int, milestone_id: int, db: Session = Depends(get_
 
 @router.patch("/{milestone_id}", response_model=schemas.MilestoneResponse)
 def update_milestone(project_id: int, milestone_id: int, milestone: schemas.MilestoneUpdate, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
-    check_project_role(db, current_user.id, project_id, min_role="mgr")
     db_milestone = db.query(Milestone).filter(Milestone.id == milestone_id, Milestone.project_id == project_id).first()
     if not db_milestone:
         raise HTTPException(status_code=404, detail="Milestone not found")
+    ensure_can_edit_milestone(db, current_user.id, db_milestone)
     data = milestone.model_dump(exclude_unset=True)
     if "depend_on_milestones" in data:
         data["depend_on_milestones"] = json.dumps(data["depend_on_milestones"]) if data["depend_on_milestones"] else None

app/api/routers/misc.py

@@ -13,6 +13,7 @@ from pydantic import BaseModel
 
 from app.core.config import get_db
 from app.api.deps import get_current_user_or_apikey
+from app.api.rbac import ensure_can_edit_milestone
 from app.models import models
 from app.models.apikey import APIKey
 from app.models.activity import ActivityLog
@@ -126,6 +127,7 @@ def create_milestone(ms: schemas.MilestoneCreate, db: Session = Depends(get_db),
         data["depend_on_tasks"] = None
     
     db_ms = MilestoneModel(**data)
+    db_ms.created_by_id = current_user.id
     db_ms.milestone_code = milestone_code
     db.add(db_ms)
     db.commit()
@@ -152,10 +154,11 @@ def get_milestone(milestone_id: int, db: Session = Depends(get_db)):
 
 
 @router.patch("/milestones/{milestone_id}", response_model=schemas.MilestoneResponse, tags=["Milestones"])
-def update_milestone(milestone_id: int, ms_update: schemas.MilestoneUpdate, db: Session = Depends(get_db)):
+def update_milestone(milestone_id: int, ms_update: schemas.MilestoneUpdate, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
     ms = db.query(MilestoneModel).filter(MilestoneModel.id == milestone_id).first()
     if not ms:
         raise HTTPException(status_code=404, detail="Milestone not found")
+    ensure_can_edit_milestone(db, current_user.id, ms)
     for field, value in ms_update.model_dump(exclude_unset=True).items():
         setattr(ms, field, value)
     db.commit()

app/api/routers/projects.py

@@ -10,7 +10,7 @@ from app.models import models
 from app.models.role_permission import Role
 from app.schemas import schemas
 from app.api.deps import get_current_user_or_apikey
-from app.api.rbac import check_project_role, check_permission
+from app.api.rbac import check_project_role, check_permission, ensure_can_edit_project
 
 router = APIRouter(prefix="/projects", tags=["Projects"])
 
@@ -197,10 +197,10 @@ def update_project(
     db: Session = Depends(get_db),
     current_user: models.User = Depends(get_current_user_or_apikey),
 ):
-    check_project_role(db, current_user.id, project_id, min_role="mgr")
     project = db.query(models.Project).filter(models.Project.id == project_id).first()
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
+    ensure_can_edit_project(db, current_user.id, project)
     update_data = project_update.model_dump(exclude_unset=True)
     update_data.pop("name", None)
     if "sub_projects" in update_data and update_data["sub_projects"]:

app/api/routers/tasks.py

@@ -14,7 +14,7 @@ from app.schemas import schemas
 from app.services.webhook import fire_webhooks_sync
 from app.models.notification import Notification as NotificationModel
 from app.api.deps import get_current_user_or_apikey
-from app.api.rbac import check_project_role
+from app.api.rbac import check_project_role, ensure_can_edit_task
 from app.services.activity import log_activity
 
 router = APIRouter(tags=["Tasks"])
@@ -162,7 +162,7 @@ def update_task(task_id: int, task_update: schemas.TaskUpdate, db: Session = Dep
     task = db.query(Task).filter(Task.id == task_id).first()
     if not task:
         raise HTTPException(status_code=404, detail="Task not found")
-    check_project_role(db, current_user.id, task.project_id, min_role="dev")
+    ensure_can_edit_task(db, current_user.id, task)
     
     update_data = task_update.model_dump(exclude_unset=True)
     if "status" in update_data: