Add customizable home dashboard with per-user pinned apps

- Users can pin/unpin any available service on their home page via a Customize mode; preferences persisted via PATCH /api/users/me/preferences - Time-aware greeting renders the user's display name through React JSX (HTML-escaped by design — no dangerouslySetInnerHTML used) - Added dashboard_app_ids JSON column to users table (migration c7e8f9a0b1d2) - /settings now routes to a placeholder page Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-17 21:15:33 +02:00
parent 6d626ff266
commit ab15c17ffb
11 changed files with 365 additions and 8 deletions
@@ -25,6 +25,8 @@ JWT signing uses a 4096-bit RSA key pair (`RS256`). Keys are generated by `scrip
 | Method | Path | Description |
 |--------|------|-------------|
 | `GET` | `/api/users/me` | Current user info |
+| `GET` | `/api/users/me/preferences` | User's dashboard preferences (`app_ids` list) |
+| `PATCH` | `/api/users/me/preferences` | Update pinned app IDs (max 50; validated as safe slugs) |

 ### Profile (`/api/profile`)

@@ -84,7 +86,7 @@ All `/api/documents/*` and `/api/documents/categories/*` requests are transparen

 | Model | Table | Notes |
 |-------|-------|-------|
-| `User` | `users` | email, hashed_password, role (`user`\|`admin`), is_active |
+| `User` | `users` | email, hashed_password, role (`user`\|`admin`), is_active, dashboard_app_ids (JSON) |
 | `Profile` | `profiles` | one-to-one with User; full_name, phone, etc. |
 | `Group` | `groups` | name (unique), description, created_at |
 | `GroupMembership` | `group_memberships` | group_id + user_id (unique pair); joined_at |
@@ -0,0 +1,28 @@
+"""add dashboard_app_ids to users
+
+Revision ID: c7e8f9a0b1d2
+Revises: a3f9c2d14e87
+Create Date: 2026-04-17 14:00:00.000000
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+revision: str = 'c7e8f9a0b1d2'
+down_revision: Union[str, None] = 'a3f9c2d14e87'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column(
+        'users',
+        sa.Column('dashboard_app_ids', sa.JSON(), nullable=False, server_default='[]'),
+    )
+
+
+def downgrade() -> None:
+    op.drop_column('users', 'dashboard_app_ids')
@@ -1,7 +1,7 @@
 import uuid
 from typing import TYPE_CHECKING

-from sqlalchemy import Boolean, String
+from sqlalchemy import Boolean, JSON, String
 from sqlalchemy.orm import Mapped, mapped_column, relationship

 from app.database import Base
@@ -21,6 +21,8 @@ class User(Base):
    # Role flag — True = admin, False = regular user.
    # Never exposed in API responses; set only by direct DB or admin tooling.
    is_superuser: Mapped[bool] = mapped_column(Boolean, default=False)
+    # List of service IDs pinned to the user's home dashboard.
+    dashboard_app_ids: Mapped[list] = mapped_column(JSON, nullable=False, default=list)

    profile: Mapped["Profile"] = relationship(
        "Profile", back_populates="user", uselist=False, cascade="all, delete-orphan"
@@ -1,8 +1,10 @@
 from fastapi import APIRouter, Depends
+from sqlalchemy.ext.asyncio import AsyncSession

+from app.database import get_db
 from app.deps import get_current_user
 from app.models.user import User
-from app.schemas.user import UserOut
+from app.schemas.user import DashboardPrefsOut, DashboardPrefsUpdate, UserOut

 router = APIRouter()

@@ -10,3 +12,20 @@ router = APIRouter()
@router.get("/me", response_model=UserOut)
 async def get_me(current_user: User = Depends(get_current_user)):
    return current_user
+
+
+@router.get("/me/preferences", response_model=DashboardPrefsOut)
+async def get_preferences(current_user: User = Depends(get_current_user)):
+    return DashboardPrefsOut(app_ids=current_user.dashboard_app_ids or [])
+
+
+@router.patch("/me/preferences", response_model=DashboardPrefsOut)
+async def update_preferences(
+    body: DashboardPrefsUpdate,
+    current_user: User = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+):
+    current_user.dashboard_app_ids = body.app_ids
+    await db.commit()
+    await db.refresh(current_user)
+    return DashboardPrefsOut(app_ids=current_user.dashboard_app_ids or [])
@@ -96,3 +96,24 @@ class UserAdminCreate(UserCreate):
 class Token(BaseModel):
    access_token: str
    token_type: str = "bearer"
+
+
+# ── Dashboard preferences ──────────────────────────────────────────────────────
+
+class DashboardPrefsOut(BaseModel):
+    app_ids: list[str]
+
+
+class DashboardPrefsUpdate(BaseModel):
+    app_ids: list[str] = Field(default_factory=list)
+
+    @field_validator("app_ids")
+    @classmethod
+    def validate_app_ids(cls, v: list[str]) -> list[str]:
+        if len(v) > 50:
+            raise ValueError("Cannot pin more than 50 apps")
+        for item in v:
+            # Service IDs are alphanumeric slugs or UUIDs — no HTML/script allowed.
+            if not re.match(r'^[a-zA-Z0-9_\-]{1,64}$', item):
+                raise ValueError(f"Invalid app ID: {item!r}")
+        return v