Group view: fetch group + permission flags from /api/v2/groups/{id} (Group 4.1)#892
Open
edwh wants to merge 1 commit into
Open
Group view: fetch group + permission flags from /api/v2/groups/{id} (Group 4.1)#892edwh wants to merge 1 commit into
edwh wants to merge 1 commit into
Conversation
Completes Group 4.1 of the Blade-to-Vue plan. group/view.blade.php previously
computed per-user permission flags server-side and passed them to <GroupPage> as
props; now GroupPage fetches the group (and those flags) from the v2 API instead.
- getGroupv2 resolves the OPTIONAL user (session, then api-token guard) and adds a
`permissions` object to the response via a groupPermissionsFor() helper that
replicates the blade logic exactly:
can_edit = admin || coordinatorForGroup || hostOfGroup
can_demote = admin || coordinatorForGroup
can_see_delete = admin
can_perform_delete = can_see_delete && group->canDelete()
can_perform_archive= admin || coordinatorForGroup
With no resolved user, all flags are false. (Host = Fixometer::userHasEditGroupPermission,
coordinator = User::isCoordinatorForGroup — the same calls the controller used.)
- GroupPage.vue drops the hydrated group/permission props and fetches on mount,
deriving the button flags as computed properties from the response.
- group/view.blade.php stops computing/passing those props.
- Note: these flags are UI show/hide only — the edit/delete/archive endpoints
enforce their own authorization independently.
Tests: APIv2GroupPermissionsTest covers the full matrix (anonymous / non-member /
host / coordinator own-vs-other network / admin, and can_perform_delete following
canDelete). GroupViewTest + InviteGroupTest updated for the removed props.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
Completes Group 4.1 of
plans/active/blade-to-vue-migration.md.group/view.blade.phppreviously computed per-user permission flags server-side and passed them to<GroupPage>as props. NowGroupPage.vuefetches the group and those flags from the v2 API on mount.getGroupv2resolves the optional user (session, then api-token guard) and returns apermissionsobject computed by a newgroupPermissionsFor()helper that replicates the Blade logic exactly:can_edit = admin || coordinatorForGroup || hostOfGroupcan_demote = admin || coordinatorForGroupcan_see_delete = admincan_perform_delete = can_see_delete && group->canDelete()can_perform_archive = admin || coordinatorForGroupFixometer::userHasEditGroupPermission, coordinator =User::isCoordinatorForGroup— the exact calls the controller used.GroupPage.vuedrops the hydrated group/permission props, fetches on mount, and derives the button flags as computed properties.group/view.blade.phpstops computing/passing those props.Security note
These flags are UI show/hide only — the edit/delete/archive endpoints each enforce their own authorization independently (defense in depth). The flag logic is nonetheless replicated faithfully and covered by a full test matrix.
Test plan
APIv2GroupPermissionsTest— full matrix (anonymous / non-member / host / coordinator own-vs-other-network / admin;can_perform_deletefollowscanDelete()): 8 tests, 112 assertionsGroupViewTest(8/171),InviteGroupTest,APIv2GroupTest,Groups\BasicTest— updated for removed props, all green (43 total)vite buildexit 0;translations:checkexit 0🤖 Generated with Claude Code