feat(phase-4): Sharing API (SHARE-01..05) — grant by handle, received folder, IDOR-safe revoke
- POST /api/shares: grant share by recipient_handle; 400 self-share, 404 bad UUID/doc/user, 409 duplicate
- GET /api/shares?document_id: list shares owned by current user for a document
- GET /api/shares/received: virtual "shared with me" folder — metadata only (no extracted_text)
- DELETE /api/shares/{share_id}: revoke with IDOR protection (share.owner_id != current_user.id → 404)
- IntegrityError on UniqueConstraint(document_id, recipient_id) → 409
- write_audit_log called for share.granted and share.revoked (D-14)
- /received defined before /{share_id} in router to prevent FastAPI path parameter conflict
- No quota table touched — recipient quota never modified by share operations (T-04-04-04)
This commit is contained in:
curo1305
@@ -183,3 +183,7 @@ from api.folders import router as folders_router # noqa: E402
|
||||
from api.folders import document_move_router as document_move_router # noqa: E402
|
||||
app.include_router(folders_router)
|
||||
app.include_router(document_move_router)
|
||||
|
||||
# Phase 4: shares router (SHARE-01..05)
|
||||
from api.shares import router as shares_router # noqa: E402
|
||||
app.include_router(shares_router)
|
||||
|
||||
Reference in New Issue
Block a user