docs(phase-4): complete 04-04 Sharing API plan — SUMMARY.md and STATE.md updated
- SUMMARY.md: documents all four endpoints, security invariants, and verification results - STATE.md: advances to 4/9 plans; adds decisions for IDOR 404, route ordering, quota isolation
This commit is contained in:
curo1305
+8
-4
@@ -27,13 +27,13 @@ progress:
|
||||
| 1 | Infrastructure Foundation | ✓ Complete |
|
||||
| 2 | Users & Authentication | ✓ Complete (5/5 plans) |
|
||||
| 3 | Document Migration & Multi-User Isolation | ✓ Complete (5/5 plans, 10/10 UAT, security gate passed) |
|
||||
| 4 | Folders, Sharing, Quotas & Document UX | In Progress (3/9 plans complete) |
|
||||
| 4 | Folders, Sharing, Quotas & Document UX | In Progress (4/9 plans complete) |
|
||||
| 5 | Cloud Storage Backends | Not Started |
|
||||
|
||||
## Current Position
|
||||
|
||||
**Phase:** 04-folders-sharing-quotas-document-ux — In progress
|
||||
**Plan:** 3/9 — Wave 0 scaffolds (04-01), migration 0004 + put_object_raw (04-02), Folders API + audit helper (04-03)
|
||||
**Plan:** 4/9 — Wave 0 scaffolds (04-01), migration 0004 + put_object_raw (04-02), Folders API + audit helper (04-03), Sharing API (04-04)
|
||||
**Progress:** ██████░░░░ 60% (3/5 phases complete)
|
||||
|
||||
## Performance Metrics
|
||||
@@ -112,6 +112,9 @@ progress:
|
||||
| Breadcrumb uses iterative Python parent-walk | Not WITH RECURSIVE — ensures SQLite unit tests pass; cycle guard (visited set) prevents infinite loop on malformed data |
|
||||
| document_move_router is a separate APIRouter | PATCH /api/documents/{id}/folder placed in folders.py not documents.py; separate router with /api/documents prefix avoids circular import |
|
||||
| FTS plainto_tsquery wrapped in try/except | SQLite silently degrades to unfiltered results when plainto_tsquery unavailable; PostgreSQL works fully — no unit test breakage |
|
||||
| Share IDOR: DELETE returns 404 not 403 | Prevents share ID enumeration; attacker cannot learn which share IDs exist for other users (T-04-04-02) |
|
||||
| /received before /{share_id} in router | Path parameter conflict: FastAPI routes /received as /{share_id}="received" if DELETE is defined first — ordering enforced by comment |
|
||||
| No quota touch in shares.py | Recipient's quota is never modified by share operations (T-04-04-04); sharing is metadata-only from quota's perspective |
|
||||
|
||||
### Open Questions
|
||||
|
||||
@@ -151,6 +154,7 @@ _Updated at each phase transition._
|
||||
| Last session | 2026-05-25 — Plan 04-01 executed: 30 Wave 0 xfail stubs across 5 test files; 39 xfailed total, zero new failures |
|
||||
| Last session | 2026-05-25 — Plan 04-02 executed: migration 0004 (pdf_open_mode, GIN FTS index, audit-logs bucket) + MinIOBackend.put_object_raw(); 122 tests pass |
|
||||
| Last session | 2026-05-25 — Plan 04-03 executed: write_audit_log() helper (flush-not-commit, never-raises) + FOLD-01..05 folder API + document sort/FTS/move; 122 pass, 0 new failures |
|
||||
| Next action | Continue Wave 2 execution: run plan 04-04 (shares API) |
|
||||
| Last session | 2026-05-25 — Plan 04-04 executed: Sharing API (SHARE-01..05) — grant/list/received/revoke with IDOR protection; 7 xfailed, zero new failures |
|
||||
| Next action | Continue Wave 3 execution: run plan 04-05 (quota enforcement) |
|
||||
| Pending decisions | None |
|
||||
| Resume file | `.planning/phases/04-folders-sharing-quotas-document-ux/04-03-SUMMARY.md` |
|
||||
| Resume file | `.planning/phases/04-folders-sharing-quotas-document-ux/04-04-SUMMARY.md` |
|
||||
|
||||
Reference in New Issue
Block a user