fix(comment): align mention audience with entity visibility
This commit is contained in:
@@ -75,13 +75,16 @@ Reasoning:
|
||||
|
||||
### `packages/api/src/router/comment.ts`
|
||||
|
||||
- `list`, `count`, `create`, `resolve`, `delete`: `entity-scoped`
|
||||
- `list`, `listMentionCandidates`, `count`, `create`, `resolve`, `delete`: `entity-scoped`
|
||||
|
||||
Reasoning:
|
||||
|
||||
- comments must inherit the audience of the backing entity, not the comment row itself
|
||||
- Phase 1 intentionally supports only `estimate`, because that is the only real product consumer today
|
||||
- estimate comments therefore inherit the estimate workspace audience: controller, manager, or admin
|
||||
- supported entity types are currently `estimate` and `resource`
|
||||
- estimate comments inherit the estimate workspace audience: controller, manager, or admin
|
||||
- resource comments inherit the resource detail audience: self-service for the caller's own linked resource, plus broad access for users who already have resource overview visibility
|
||||
- mention autocomplete uses the same entity-scoped access check instead of reusing assignment-oriented user directory routes
|
||||
- the registry keeps router policy, assistant metadata, and web comment targets on the same supported-entity definition
|
||||
- future entity types must be added through an explicit registry with per-entity access checks, assistant parity, and router tests in the same slice
|
||||
|
||||
### `packages/api/src/router/system-role-config.ts`
|
||||
|
||||
Reference in New Issue
Block a user