curo/Business-Management
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Business-Management/changelog/2026-04-18_document-delete-permissions.md
T
curo1305 6e5e5c08bf feat: document delete permissions + three-dots menu portal fix 
- Add can_delete column to document_shares (migration 0005)
- Inject x-user-is-admin header from backend proxy to doc-service
- Add get_user_is_admin() dep in doc-service
- Delete endpoint now allows: owner, admin, or group member with can_delete=true
- Watch documents (user_id='watch') deletable by admins only
- DocumentOut gains viewer_can_delete (computed per-request)
- Share UI: 'Allow group members to delete' checkbox + trash badge on shares
- RowActionsMenu dropdown portaled to document.body — fixes overflow-hidden clipping
- Delete mutation onError handler — no more silent failures

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-18 21:39:01 +02:00

2.3 KiB
Raw Permalink Blame History

2026-04-18 — Document delete permissions + three-dots menu fix

Timestamp: 2026-04-18T00:00:00Z

Summary

Added a proper permission model for document deletion: owners and admins can always delete; group members can delete only when the share was explicitly granted can_delete=true. Fixed silent delete failures (watch docs returning 404 with no user feedback) and fixed the three-dots context menu being clipped by overflow-hidden on the table container.

Files Added / Modified / Deleted

Added

  • features/doc-service/alembic/versions/0005_add_share_can_delete.py — migration: adds can_delete BOOLEAN NOT NULL DEFAULT false to document_shares

Modified

  • features/doc-service/app/models/document_share.py — added can_delete: Mapped[bool] column
  • features/doc-service/app/schemas/share.py — added can_delete to DocumentShareOut and DocumentShareCreate; added viewer_can_delete to SharedDocumentOut
  • features/doc-service/app/schemas/document.py — added viewer_can_delete: bool = False to DocumentOut
  • features/doc-service/app/deps.py — added get_user_is_admin() dep reading x-user-is-admin header
  • features/doc-service/app/routers/documents.py — added _get_deletable_doc_ids() helper; updated list/get/delete endpoints with permission logic; updated add_share to store can_delete; updated shared-with-me to include viewer_can_delete
  • backend/app/routers/documents_proxy.py_forward_headers() now injects x-user-is-admin header
  • frontend/src/api/client.tsDocumentOut: added viewer_can_delete; DocumentShareOut: added can_delete; addDocumentShare: accepts canDelete param
  • frontend/src/pages/DocumentsPage.tsxRowActionsMenu: replaced absolute dropdown with createPortal to fix clipping; delete button now uses doc.viewer_can_delete; added onError handler for silent failures
  • frontend/src/components/DocumentSlideOver.tsx — sharing section: shows trash icon badge on shares with can_delete=true; added "Allow group members to delete" checkbox before group picker; delete button uses doc.viewer_can_delete
  • features/doc-service/CLAUDE.md — updated document_shares table docs + migration chain
  • backend/CLAUDE.md — noted x-user-is-admin header injection
Reference in New Issue View Git Blame Copy Permalink