feat: add Note model, CRUD API, and per-player authorization rules (#20)#57
Open
onurege3467 wants to merge 1 commit into
Open
feat: add Note model, CRUD API, and per-player authorization rules (#20)#57onurege3467 wants to merge 1 commit into
onurege3467 wants to merge 1 commit into
Conversation
- Note model with personal (DM-only) and players (per-player visibility) modes - note_permissions cross-reference table for per-player access control - NotesService with CRUD + content-based authorization checks - REST endpoints under /api/campaigns/:id/notes and /api/notes/:id/permissions - to_dict() hides permission metadata from non-owner players - Integration tests covering all authorization scenarios Implements the authorization layer specified in grimimirg#20: server-side rules ensuring players only receive notes they are permitted to see. Closes grimimirg#20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #20
Summary
Adds the Note model, CRUD API endpoints, and server-side authorization rules for per-player note visibility in campaigns.
Changes
Backend (be/)
Notewith fields for id, campaign, owner, title, content, visibility (personalorplayers), parent_id, and timestamps. Thenote_permissionscross-reference table links notes to permitted users.NotesServicewith authorization-aware CRUD:can_manage_notes— only the campaign owner (DM) can create/update/delete notescan_view_note— DM sees all; players see only notes withvisibility='players'that they are explicitly permitted to viewget_notes— DM sees all campaign notes; players see only their permitted subsetset_note_permissions— DM assigns which players can see a note (replaces membership)to_dict— thepermitted_user_idsfield is only included for the DM ownerGET /api/campaigns/:id/notes— list visible notesPOST /api/campaigns/:id/notes— create note (DM only)GET /api/notes/:id— single notePUT /api/notes/:id— update note (DM only)DELETE /api/notes/:id— delete note (DM only)PUT /api/notes/:id/permissions— set player access (DM only)Verification
py_compilesyntax checkNotes