Skip to content

feat: add Note model, CRUD API, and per-player authorization rules (#20)#57

Open
onurege3467 wants to merge 1 commit into
grimimirg:mainfrom
onurege3467:feat/note-auth-rules
Open

feat: add Note model, CRUD API, and per-player authorization rules (#20)#57
onurege3467 wants to merge 1 commit into
grimimirg:mainfrom
onurege3467:feat/note-auth-rules

Conversation

@onurege3467

Copy link
Copy Markdown

Closes #20

Summary

Adds the Note model, CRUD API endpoints, and server-side authorization rules for per-player note visibility in campaigns.

Changes

Backend (be/)

  • New model: Note with fields for id, campaign, owner, title, content, visibility (personal or players), parent_id, and timestamps. The note_permissions cross-reference table links notes to permitted users.
  • New service: NotesService with authorization-aware CRUD:
    • can_manage_notes — only the campaign owner (DM) can create/update/delete notes
    • can_view_note — DM sees all; players see only notes with visibility='players' that they are explicitly permitted to view
    • get_notes — DM sees all campaign notes; players see only their permitted subset
    • set_note_permissions — DM assigns which players can see a note (replaces membership)
    • to_dict — the permitted_user_ids field is only included for the DM owner
  • New controller: REST endpoints following existing project patterns:
    • GET /api/campaigns/:id/notes — list visible notes
    • POST /api/campaigns/:id/notes — create note (DM only)
    • GET /api/notes/:id — single note
    • PUT /api/notes/:id — update note (DM only)
    • DELETE /api/notes/:id — delete note (DM only)
    • PUT /api/notes/:id/permissions — set player access (DM only)
  • Tests: 9 integration tests covering creation, authorization, visibility filtering, permission management, update, delete, and info hiding
  • Registration: Note model, blueprints registered in app factory and model init

Verification

  • All project Python files pass py_compile syntax check
  • Integration test verified manually: DM creates personal + player notes, grants per-player access, players see only permitted notes, unauthorized access correctly denied, info hiding works

Notes

- Note model with personal (DM-only) and players (per-player visibility) modes
- note_permissions cross-reference table for per-player access control
- NotesService with CRUD + content-based authorization checks
- REST endpoints under /api/campaigns/:id/notes and /api/notes/:id/permissions
- to_dict() hides permission metadata from non-owner players
- Integration tests covering all authorization scenarios

Implements the authorization layer specified in grimimirg#20: server-side rules
ensuring players only receive notes they are permitted to see.

Closes grimimirg#20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Authorization rules for players notes

1 participant