Merge branch 'module/projects' into dev

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>

accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountDb.java

@@ -3,6 +3,7 @@ package de.srsoftware.umbrella.accounting;
 
 import de.srsoftware.umbrella.core.model.Account;
 import de.srsoftware.umbrella.core.model.Transaction;
+import de.srsoftware.umbrella.core.model.UmbrellaUser;
 import java.util.Collection;
 import java.util.List;
 import java.util.Optional;
@@ -13,6 +14,8 @@ public interface AccountDb {
 
 	void dropTransactionTag(long transactionId, String tag);
 
+	Collection<UmbrellaUser> getMembers(long accountId);
+
 	Optional<Transaction> lastTransaction(long accountId, String source, String dest, double amount);
 
 	Collection<Account> listAccounts(long userId);

accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountingModule.java

@@ -7,11 +7,9 @@ import static de.srsoftware.umbrella.core.ConnectionProvider.connect;
 import static de.srsoftware.umbrella.core.ModuleRegistry.tagService;
 import static de.srsoftware.umbrella.core.ModuleRegistry.userService;
 import static de.srsoftware.umbrella.core.constants.Path.*;
-import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.invalidField;
+import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.*;
-import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.missingField;
 import static de.srsoftware.umbrella.messagebus.MessageBus.messageBus;
 import static de.srsoftware.umbrella.messagebus.events.Event.EventType.CREATE;
-import static java.lang.System.Logger.Level.WARNING;
 
 import com.sun.net.httpserver.HttpExchange;
 import de.srsoftware.configuration.Configuration;
@@ -55,6 +53,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 				case TRANSACTION -> {
 					try {
 						var transaction = accountDb.loadTransaction(Long.parseLong(path.pop()));
+						if (!accountDb.getMembers(transaction.accountId()).contains(user.get())) throw forbidden("You are not allowed to access account {id}",Field.ID,transaction.accountId());
 						yield dropTransaction(transaction, user.get(), path, ex);
 					} catch (NumberFormatException ignored) {
 						yield super.doDelete(path,ex);
@@ -128,6 +127,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 				default -> {
 					try {
 						var accountId = Long.parseLong(head);
+						if (!accountDb.getMembers(accountId).contains(user.get())) throw forbidden("You are not allowed to access account {id}",Field.ID,accountId);
 						yield postToAccount(accountId,path,user.get(),ex);
 					} catch (NumberFormatException ignored) {
 						yield super.doPost(path,ex);
@@ -156,7 +156,6 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 	}
 
 	private boolean dropTransactionTag(UmbrellaUser user, Transaction transaction, HttpExchange ex) throws IOException {
-		LOG.log(WARNING,"Missing permission check in AccountModule.dropTransactionTag!");
 		var json = json(ex);
 		if (!json.has(Field.TAG)) throw missingField(Field.TAG);
 		var tag = json.getString(Field.TAG);
@@ -186,7 +185,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 	}
 
 	private boolean getAccount(UmbrellaUser user, long accountId, HttpExchange ex) throws IOException {
-		LOG.log(WARNING,"Missing authorization check in AccountingModule.getAccount(…)!");
+		if (!accountDb.getMembers(accountId).contains(user)) throw forbidden("You are not allowed to access account {id}",Field.ID,accountId);
 		return sendContent(ex, loadAccount(accountId));
 	}
 
@@ -225,7 +224,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 
 	private boolean patchTransaction(UmbrellaUser user, long transactionId, HttpExchange ex) throws IOException {
 		var transaction = accountDb.loadTransaction(transactionId);
-		LOG.log(WARNING,"Missing permission check in patchTransaction(…)!");
+		if (!accountDb.getMembers(transaction.accountId()).contains(user)) throw forbidden("You are not allowed to access account {id}",Field.ID,transaction.accountId());
 		var oldData = transaction.toMap();
 		var json = json(ex);
 		if (json.has(Field.AMOUNT)) transaction.amount(json.getDouble(Field.AMOUNT));
@@ -337,7 +336,6 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 	}
 
 	private boolean postSearchTags(long accountId, UmbrellaUser user, HttpExchange ex) throws IOException {
-		LOG.log(WARNING,"Missing authorization check in AccountingModule.getAccount(…)!");
 		var key = body(ex);
 		if (!key.trim().startsWith("{")) { // search tags that contain value of body
 			var tags = accountDb.searchTagsContaining(key, accountId);

accounting/src/main/java/de/srsoftware/umbrella/accounting/SqliteDb.java

@@ -7,6 +7,7 @@ import static de.srsoftware.tools.jdbc.Condition.*;
 import static de.srsoftware.tools.jdbc.Query.*;
 import static de.srsoftware.tools.jdbc.Query.SelectQuery.ALL;
 import static de.srsoftware.umbrella.accounting.Constants.*;
+import static de.srsoftware.umbrella.core.ModuleRegistry.userService;
 import static de.srsoftware.umbrella.core.constants.Field.*;
 import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.*;
 import static de.srsoftware.umbrella.core.model.Translatable.t;
@@ -19,6 +20,7 @@ import de.srsoftware.umbrella.core.constants.Field;
 import de.srsoftware.umbrella.core.constants.Text;
 import de.srsoftware.umbrella.core.model.Account;
 import de.srsoftware.umbrella.core.model.Transaction;
+import de.srsoftware.umbrella.core.model.UmbrellaUser;
 import java.sql.Connection;
 import java.sql.SQLException;
 import java.time.ZoneOffset;
@@ -146,6 +148,27 @@ public class SqliteDb extends BaseDb implements AccountDb {
 		}
 	}
 
+	@Override
+	public Collection<UmbrellaUser> getMembers(long accountId) {
+		try {
+			var userIds = new HashSet<Long>();
+			var rs = select("DISTINCT "+ SOURCE).from(TABLE_TRANSACTIONS).where(ACCOUNT,equal(accountId)).exec(db);
+			while (rs.next()) try {
+				userIds.add(Long.parseLong(rs.getString(1)));
+			} catch (NumberFormatException ignored) {}
+			rs.close();
+			rs = select("DISTINCT "+ DESTINATION).from(TABLE_TRANSACTIONS).where(ACCOUNT,equal(accountId)).exec(db);
+			while (rs.next()) try {
+				userIds.add(Long.parseLong(rs.getString(1)));
+			} catch (NumberFormatException ignored) {}
+			rs.close();
+			var us = userService();
+			return userIds.stream().map(us::loadUser).toList();
+		} catch (SQLException e) {
+			throw failedToLoadMembers(Text.ACCOUNT);
+		}
+	}
+
 	@Override
 	public Optional<Transaction> lastTransaction(long accountId, String source, String dest, double amount) {
 		try {

frontend/src/routes/notes/Index.svelte

@@ -33,6 +33,7 @@
             authors    = {...authors, ...data.authors};
             loader.offset += loader.limit;
             loader.active  = false;
+            console.log({authors});
             yikes();
             if (Object.keys(data.notes).length) onscroll(null); // when notes were received, check whether they fill up the page
 
@@ -78,4 +79,4 @@
 </svelte:head>
 
 <svelte:window {onscroll} />
-<List {notes} />
+<List {notes} {authors} />

frontend/src/routes/notes/List.svelte

@@ -64,6 +64,7 @@
     <legend class="entity" onclick={() => goToEntity(note)}>{title(note)}</legend>
     {/if}
     <legend class="time">
+        {#if !module} {authors[note.user_id].name} – {/if}
         {note.timestamp.replace('T',' ')}
         {#if user.id == note.user_id}
         <button class="symbol" onclick={() => drop(note.id)}></button>

frontend/src/routes/project/View.svelte

@@ -2,7 +2,7 @@
     import { onMount, onDestroy }       from 'svelte';
     import { useTinyRouter } from 'svelte-tiny-router';
 
-    import { api, eventStream } from '../../urls.svelte';
+    import { api, eventStream, patch, post } from '../../urls.svelte';
     import { error, yikes }  from '../../warn.svelte';
     import { t }             from '../../translations.svelte';
 
@@ -35,11 +35,7 @@
 
     async function addState(){
         const url  = api(`project/${id}/state`);
-        const resp = await fetch(url,{
+        const resp = await post(url,new_state);
-            credentials: 'include',
-            method: 'POST',
-            body: JSON.stringify(new_state)
-        });
         if (resp.ok){
             const json = await resp.json();
             project.allowed_states[json.code] = json.name;
@@ -139,11 +135,7 @@
 
     async function update(data){
         const url  = api(`project/${id}`);
-        const resp = await fetch(url,{
+        const resp = await patch(url,data);
-            credentials : 'include',
-            method      : 'PATCH',
-            body        : JSON.stringify(data)
-        });
         if (resp.ok){
             yikes();
             project = await resp.json();
@@ -160,6 +152,20 @@
         update({members:members});
     }
 
+    async function updateStateName(state_id,name){
+        const url  = api(`project/${id}/state`);
+        const resp = await patch(url,{id:state_id,name});
+        if (resp.ok){
+            const json = await resp.json();
+            project.allowed_states[json.code]=json.name;
+            yikes();
+            return true;
+        } else {
+            error(resp);
+            return false;
+        }
+    }
+
     function showClosed(){
         show_closed = !show_closed;
         loadTasks();
@@ -243,7 +249,9 @@
         {/if}
         {key}
     </div>
-    <div>{project.allowed_states[key]}</div>
+    <div>
+        <LineEditor value={project.allowed_states[key]} editable={true} onSet={newName => updateStateName(+key,newName)} />
+    </div>
     {/each}
     <div>
         <input type="number" bind:value={new_state.code} />

frontend/src/routes/task/Add.svelte

@@ -2,7 +2,7 @@
     import { onMount }       from 'svelte';
     import { useTinyRouter } from 'svelte-tiny-router';
 
-    import { api, get }      from '../../urls.svelte.js';
+    import { api, get, post }      from '../../urls.svelte.js';
     import { error, yikes }  from '../../warn.svelte';
     import { t }             from '../../translations.svelte.js';
     import { user }          from '../../user.svelte.js';
@@ -104,11 +104,7 @@
 
     async function saveTask(){
         const url  = api('task/add');
-        const resp = await fetch(url,{
+        const resp = await post(url,task);
-            credentials : 'include',
-            method      : 'POST',
-            body        : JSON.stringify(task)
-        });
         if (resp.ok) {
             localStorage.removeItem(`task/${task.id}/description`);
             if (!assignee) { // if assignee is set, this form was opened within an external context. hence we don`t want to navigate somewhere else!

frontend/src/routes/task/ListTask.svelte

@@ -3,7 +3,7 @@
     import { useTinyRouter } from 'svelte-tiny-router';
 
     import { dragged }       from './dragndrop.svelte';
-    import { api }           from '../../urls.svelte';
+    import { api, drop, patch, post }           from '../../urls.svelte';
     import { error, yikes }  from '../../warn.svelte';
     import { t }             from '../../translations.svelte';
     import { timetrack }     from '../../user.svelte';
@@ -47,10 +47,7 @@
     async function deleteTask(){
         if (confirm(t('confirm_delete',{element:task.name}))){
             const url  = api(`task/${task.id}`);
-            const resp = await fetch(url,{
+            const resp = await drop(url);
-                credentials : 'include',
-                method      : 'DELETE'
-            });
             if (resp.ok){
                 deleted = true;
             } else {
@@ -70,11 +67,7 @@
         ev.stopPropagation();
         if (dragged.element.id == task.id) return;
         const  url = api(`task/${dragged.element.id}`);
-        const resp = await fetch(url,{
+        const resp = await patch(url, { parent_task_id : task.id});
-            credentials : 'include',
-            method      : 'PATCH',
-            body        : JSON.stringify({ parent_task_id : task.id})
-        });
         if (resp.ok) {
             yikes();
         } else {
@@ -90,11 +83,7 @@
             show_closed    : show_closed
         };
         if (task.show_closed) data.show_closed = true;
-        const resp = await fetch(url,{
+        const resp = await post(url,data);
-            credentials : 'include',
-            method      : 'POST',
-            body        : JSON.stringify(data)
-        });
         if (resp.ok){
             children = await resp.json();
             yikes();
@@ -112,11 +101,7 @@
 
     async function patchTask(changeset){
         const url  = api(`task/${task.id}`);
-        const resp = await fetch(url,{
+        const resp = await patch(url,changeset);
-            credentials : 'include',
-            method      : 'PATCH',
-            body        : JSON.stringify(changeset)
-        });
         if (resp.ok){
             task = await resp.json();
             return true;
@@ -145,9 +130,7 @@
 		if (children && lastEvent && lastEvent.task) {
 			if (lastEvent.event == 'delete' || lastEvent.task.parent_task_id != task.id){
 				delete children[lastEvent.task.id];
-			} else {
+			} else children[lastEvent.task.id] = lastEvent.task;
-				children[lastEvent.task.id] = lastEvent.task;
-			}
 		}
 	});
 

frontend/src/routes/task/RequiredTasks.svelte

@@ -2,7 +2,7 @@
     import { onMount } from 'svelte';
     import { useTinyRouter } from 'svelte-tiny-router';
 
-    import { api } from '../../urls.svelte';
+    import { api, get, patch, post } from '../../urls.svelte';
     import { error, yikes }  from '../../warn.svelte';
     import { t }   from '../../translations.svelte';
 
@@ -17,7 +17,7 @@
 
     async function add(new_task_id){
         let url = api(`task/${new_task_id}`);
-        let resp = await fetch(url,{ credentials : 'include' });
+        let resp = await get(url);
         if (resp.ok){
             yikes();
             let newTask = await resp.json();
@@ -27,7 +27,7 @@
             }
             task.required_tasks_ids.push(new_task_id);
             requiredTasks[new_task_id] = newTask;
-            await patch();
+            await update();
             delete candidates[new_task_id];
         } else {
             error(resp);
@@ -59,17 +59,11 @@
     async function loadTasks(){
         if (!task || !task.required_tasks_ids || !task.required_tasks_ids.length) return;
         const url = api('task/list');
-        const res = await fetch(url,{
+        const res = await post(url,{ids:task.required_tasks_ids});
-            credentials : 'include',
-            method      : 'POST',
-            body        : JSON.stringify({ids:task.required_tasks_ids})
-        });
         if (res.ok){
             yikes();
             requiredTasks = await res.json();
-        } else {
+        } else error(resp);
-            error(resp);
-        }
     }
 
     function oninput(){
@@ -84,19 +78,15 @@
         return false;
     }
 
-    async function patch(){
+    async function update(){
             const url  = api(`task/${task.id}`);
-            const resp = await fetch(url,{
+            const resp = await patch(url,{required_tasks_ids:task.required_tasks_ids});
-                credentials : 'include',
-                method      : 'PATCH',
-                body        : JSON.stringify({required_tasks_ids:task.required_tasks_ids})
-            });
             if (!resp.ok) error(resp);
     }
 
     async function unlink(required_task){
         task.required_tasks_ids = task.required_tasks_ids.filter(item => item != required_task.id);
-        patch();
+        update();
         delete requiredTasks[required_task.id];
     }
 

frontend/src/routes/task/TaskList.svelte

@@ -8,7 +8,7 @@
 </script>
 
 <ul>
-    {#each sortedTasks as task}
+    {#each sortedTasks as task (task.id)}
     <ListTask {states} {task} {lastEvent} siblings={tasks} {est_time} show_closed={show_closed || task.show_closed} />
     {/each}
 </ul>

frontend/src/routes/task/View.svelte

@@ -2,7 +2,7 @@
     import { onDestroy }     from 'svelte';
     import { useTinyRouter } from 'svelte-tiny-router';
 
-    import { api, eventStream } from '../../urls.svelte';
+    import { api, eventStream, get, patch, post } from '../../urls.svelte';
     import { error, yikes }  from '../../warn.svelte';
     import { t }             from '../../translations.svelte';
     import { timetrack }     from '../../user.svelte.js';
@@ -99,32 +99,24 @@
             parent_task_id : +task.id,
             show_closed    : show_closed
         };
-        const resp = await fetch(url,{
+        const resp = await post(url,data);
-            credentials : 'include',
-            method      : 'POST',
-            body:JSON.stringify(data)
-        });
         if (resp.ok){
             yikes();
             children = await resp.json();
-        } else {
+        } else error(resp);
-            error(resp);
-        }
     }
 
     async function loadParent(){
         const url  = api(`task/${task.parent_task_id}`);
-        const resp = await fetch(url,{credentials:'include'});
+        const resp = await get(url);
         if (resp.ok){
             task.parent = await resp.json();
-        } else {
+        } else error(resp);
-            error(resp);
-        }
     }
 
     async function loadTask(){
         const url  = api(`task/${id}`);
-        const resp = await fetch(url,{credentials:'include'});
+        const resp = await get(url);
         if (resp.ok){
             yikes();
             task     = await resp.json();
@@ -132,20 +124,16 @@
             loadChildren();
             if (task.project_id) loadProject();
             if (task.parent_task_id) loadParent();
-        } else {
+        } else error(resp);
-            error(resp);
-        }
     }
 
     async function loadProject(){
         const url  = api(`project/${task.project_id}`);
-        const resp = await fetch(url,{credentials:'include'});
+        const resp = await get(url);
         if (resp.ok){
             project = await resp.json();
             yikes();
-        } else {
+        } else error(await resp.text());
-            error(await resp.text());
-        }
     }
 
     function showClosed(){
@@ -169,11 +157,7 @@
 
     async function update(data){
         const url  = api(`task/${id}`);
-        const resp = await fetch(url,{
+        const resp = await patch(url,data);
-            credentials : 'include',
-            method      : 'PATCH',
-            body        : JSON.stringify(data)
-        });
         if (resp.ok){
             yikes();
             let json = await resp.json();

project/src/main/java/de/srsoftware/umbrella/project/ProjectModule.java

@@ -97,6 +97,7 @@ public class ProjectModule extends BaseHandler implements ProjectService {
 					head = path.pop();
 					yield switch (head){
 						case null -> patchProject(ex,projectId,user.get());
+						case Path.STATE -> patchProjectState(ex,projectId,user.get());
 						default -> super.doPatch(path,ex);
 					};
 				}
@@ -229,6 +230,19 @@ public class ProjectModule extends BaseHandler implements ProjectService {
 		return sendContent(ex,project.toMap());
 	}
 
+	private boolean patchProjectState(HttpExchange ex, long projectId, UmbrellaUser user) throws IOException {
+		var project = loadMembers(projectDb.load(projectId));
+		if (!project.hasMember(user)) throw notAmember(t(PROJECT_WITH_ID,ID,project.name()));
+		var json = json(ex);
+		if (!json.has(ID)) throw missingField(ID);
+		if (!json.has(NAME)) throw missingField(NAME);
+		if (!(json.get(ID) instanceof Number fieldId)) throw invalidField(ID,Text.NUMBER);
+		var newName = json.getString(NAME);
+		if (newName.isBlank()) throw invalidField(NAME, STRING);
+		var newState = new Status(newName,fieldId.intValue());
+		return sendContent(ex, projectDb.save(projectId,newState));
+
+	}
 
 	private boolean postNewState(HttpExchange ex, long projectId, UmbrellaUser user) throws IOException {
 		var project = loadMembers(load(projectId));

project/src/main/java/de/srsoftware/umbrella/project/SqliteDb.java

@@ -267,7 +267,7 @@ CREATE TABLE IF NOT EXISTS {0} (
 	@Override
 	public Status save(long projectId, Status newState) {
 		try {
-			insertInto(TABLE_CUSTOM_STATES, PROJECT_ID, Field.CODE, NAME).values(projectId,newState.code(),newState.name()).execute(db).close();
+			replaceInto(TABLE_CUSTOM_STATES, PROJECT_ID, Field.CODE, NAME).values(projectId,newState.code(),newState.name()).execute(db).close();
 			return newState;
 		} catch (SQLException e) {
 			throw databaseException(FAILED_TO_CREATE_STATE).causedBy(e);