cardosofelipe/fast-next-template
Template
1
0
Fork 1
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

fix: Add missing API endpoints and validation improvements

Browse Source 
- Add cancel_sprint and delete_sprint endpoints to sprints.py
- Add unassign_issue endpoint to issues.py
- Add remove_issue_from_sprint endpoint to sprints.py
- Add CRUD methods: remove_sprint_from_issues, unassign, remove_from_sprint
- Add validation to prevent closed issues in active/planned sprints
- Add authorization tests for SSE events endpoint
- Fix IDOR vulnerabilities in agents.py and projects.py
- Add Syndarix models migration (0004)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Felipe Cardoso
2025-12-30 15:39:51 +01:00
parent b43fa8ace2
commit cea97afe25
10 changed files with 1156 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
backend/app/api/routes/agents.py
View File

@@ -7,6 +7,7 @@ within their projects, including spawning, pausing, resuming, and terminating ag
"""
import logging
import os
from typing import Any
from uuid import UUID
@@ -23,6 +24,7 @@ from app.core.exceptions import (
ValidationException,
)
from app.crud.syndarix.agent_instance import agent_instance as agent_instance_crud
from app.crud.syndarix.agent_type import agent_type as agent_type_crud
from app.crud.syndarix.project import project as project_crud
from app.models.syndarix import AgentInstance, Project
from app.models.syndarix.enums import AgentStatus
@@ -47,6 +49,10 @@ logger = logging.getLogger(__name__)
# Initialize limiter for this router
limiter = Limiter(key_func=get_remote_address)
# Use higher rate limits in test environment
IS_TEST = os.getenv("IS_TEST", "False") == "True"
RATE_MULTIPLIER = 100 if IS_TEST else 1
# Valid status transitions for agent lifecycle management
VALID_STATUS_TRANSITIONS: dict[AgentStatus, set[AgentStatus]] = {
@@ -173,7 +179,7 @@ def build_agent_response(
description="Spawn a new agent instance in a project. Requires project ownership or superuser.",
operation_id="spawn_agent",
)
@limiter.limit("20/minute")
@limiter.limit(f"{20 * RATE_MULTIPLIER}/minute")
async def spawn_agent(
request: Request,
project_id: UUID,
@@ -214,6 +220,20 @@ async def spawn_agent(
field="project_id",
)
# Validate that the agent type exists and is active
agent_type = await agent_type_crud.get(db, id=agent_in.agent_type_id)
if not agent_type:
raise NotFoundError(
message=f"Agent type {agent_in.agent_type_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
if not agent_type.is_active:
raise ValidationException(
message=f"Agent type '{agent_type.name}' is inactive and cannot be used",
error_code=ErrorCode.VALIDATION_ERROR,
field="agent_type_id",
)
# Create the agent instance
agent = await agent_instance_crud.create(db, obj_in=agent_in)
@@ -256,7 +276,7 @@ async def spawn_agent(
description="List all agent instances in a project with optional filtering.",
operation_id="list_project_agents",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def list_project_agents(
request: Request,
project_id: UUID,
@@ -350,7 +370,7 @@ async def list_project_agents(
description="Get detailed information about a specific agent instance.",
operation_id="get_agent",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def get_agent(
request: Request,
project_id: UUID,
@@ -427,7 +447,7 @@ async def get_agent(
description="Update an agent instance's configuration and state.",
operation_id="update_agent",
)
@limiter.limit("30/minute")
@limiter.limit(f"{30 * RATE_MULTIPLIER}/minute")
async def update_agent(
request: Request,
project_id: UUID,
@@ -522,7 +542,7 @@ async def update_agent(
description="Pause an agent instance, temporarily stopping its work.",
operation_id="pause_agent",
)
@limiter.limit("20/minute")
@limiter.limit(f"{20 * RATE_MULTIPLIER}/minute")
async def pause_agent(
request: Request,
project_id: UUID,
@@ -621,7 +641,7 @@ async def pause_agent(
description="Resume a paused agent instance.",
operation_id="resume_agent",
)
@limiter.limit("20/minute")
@limiter.limit(f"{20 * RATE_MULTIPLIER}/minute")
async def resume_agent(
request: Request,
project_id: UUID,
@@ -720,7 +740,7 @@ async def resume_agent(
description="Terminate an agent instance, permanently stopping it.",
operation_id="terminate_agent",
)
@limiter.limit("10/minute")
@limiter.limit(f"{10 * RATE_MULTIPLIER}/minute")
async def terminate_agent(
request: Request,
project_id: UUID,
@@ -817,7 +837,7 @@ async def terminate_agent(
description="Get usage metrics for a specific agent instance.",
operation_id="get_agent_metrics",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def get_agent_metrics(
request: Request,
project_id: UUID,
@@ -897,7 +917,7 @@ async def get_agent_metrics(
description="Get aggregated usage metrics for all agents in a project.",
operation_id="get_project_agent_metrics",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def get_project_agent_metrics(
request: Request,
project_id: UUID,

48
backend/app/api/routes/events.py
View File

@@ -17,6 +17,7 @@ Features:
import asyncio
import json
import logging
from typing import TYPE_CHECKING
from uuid import UUID
from fastapi import APIRouter, Depends, Header, Request
@@ -26,12 +27,16 @@ from sse_starlette.sse import EventSourceResponse
from app.api.dependencies.auth import get_current_user
from app.api.dependencies.event_bus import get_event_bus
from app.core.database import get_db
from app.core.exceptions import AuthorizationError
from app.models.user import User
from app.schemas.errors import ErrorCode
from app.schemas.events import EventType
from app.services.event_bus import EventBus
if TYPE_CHECKING:
from sqlalchemy.ext.asyncio import AsyncSession
logger = logging.getLogger(__name__)
router = APIRouter()
@@ -44,33 +49,44 @@ KEEPALIVE_INTERVAL = 30
async def check_project_access(
project_id: UUID,
user: User,
db: "AsyncSession",
) -> bool:
"""
Check if a user has access to a project's events.
This is a placeholder implementation that will be replaced
with actual project authorization logic once the Project model
is implemented. Currently allows access for all authenticated users.
Authorization rules:
- Superusers can access all projects
- Project owners can access their own projects
Args:
project_id: The project to check access for
user: The authenticated user
db: Database session for project lookup
Returns:
bool: True if user has access, False otherwise
TODO: Implement actual project authorization
- Check if user owns the project
- Check if user is a member of the project
- Check project visibility settings
"""
# Placeholder: Allow all authenticated users for now
# This will be replaced with actual project ownership/membership check
# Superusers can access all projects
if user.is_superuser:
logger.debug(
f"Project access granted for superuser {user.id} on project {project_id}"
)
return True
# Check if user owns the project
from app.crud.syndarix import project as project_crud
project = await project_crud.get(db, id=project_id)
if not project:
logger.debug(f"Project {project_id} not found for access check")
return False
has_access = bool(project.owner_id == user.id)
logger.debug(
f"Project access check for user {user.id} on project {project_id} "
"(placeholder: allowing all authenticated users)"
f"Project access {'granted' if has_access else 'denied'} "
f"for user {user.id} on project {project_id} (owner: {project.owner_id})"
)
return True
return has_access
async def event_generator(
@@ -176,6 +192,7 @@ async def stream_project_events(
project_id: UUID,
current_user: User = Depends(get_current_user),
event_bus: EventBus = Depends(get_event_bus),
db: "AsyncSession" = Depends(get_db),
last_event_id: str | None = Header(None, alias="Last-Event-ID"),
):
"""
@@ -197,7 +214,7 @@ async def stream_project_events(
)
# Check project access
has_access = await check_project_access(project_id, current_user)
has_access = await check_project_access(project_id, current_user, db)
if not has_access:
raise AuthorizationError(
message=f"You don't have access to project {project_id}",
@@ -244,6 +261,7 @@ async def send_test_event(
project_id: UUID,
current_user: User = Depends(get_current_user),
event_bus: EventBus = Depends(get_event_bus),
db: "AsyncSession" = Depends(get_db),
):
"""
Send a test event to the project's event stream.
@@ -251,7 +269,7 @@ async def send_test_event(
This is useful for testing SSE connections during development.
"""
# Check project access
has_access = await check_project_access(project_id, current_user)
has_access = await check_project_access(project_id, current_user, db)
if not has_access:
raise AuthorizationError(
message=f"You don't have access to project {project_id}",

103
backend/app/api/routes/issues.py
View File

@@ -30,6 +30,7 @@ from app.core.exceptions import (
from app.crud.syndarix.agent_instance import agent_instance as agent_instance_crud
from app.crud.syndarix.issue import issue as issue_crud
from app.crud.syndarix.project import project as project_crud
from app.crud.syndarix.sprint import sprint as sprint_crud
from app.models.syndarix.enums import IssuePriority, IssueStatus, SyncStatus
from app.models.user import User
from app.schemas.common import (
@@ -200,6 +201,21 @@ async def create_issue(
field="assigned_agent_id",
)
# Validate sprint if provided (IDOR prevention)
if issue_in.sprint_id:
sprint = await sprint_crud.get(db, id=issue_in.sprint_id)
if not sprint:
raise NotFoundError(
message=f"Sprint {issue_in.sprint_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
if sprint.project_id != project_id:
raise ValidationException(
message="Sprint does not belong to this project",
error_code=ErrorCode.VALIDATION_ERROR,
field="sprint_id",
)
try:
issue = await issue_crud.create(db, obj_in=issue_in)
logger.info(
@@ -470,6 +486,21 @@ async def update_issue(
field="assigned_agent_id",
)
# Validate sprint if being updated (IDOR prevention)
if issue_in.sprint_id is not None:
sprint = await sprint_crud.get(db, id=issue_in.sprint_id)
if not sprint:
raise NotFoundError(
message=f"Sprint {issue_in.sprint_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
if sprint.project_id != project_id:
raise ValidationException(
message="Sprint does not belong to this project",
error_code=ErrorCode.VALIDATION_ERROR,
field="sprint_id",
)
try:
updated_issue = await issue_crud.update(db, db_obj=issue, obj_in=issue_in)
logger.info(
@@ -693,6 +724,78 @@ async def assign_issue(
)
@router.delete(
"/projects/{project_id}/issues/{issue_id}/assignment",
response_model=IssueResponse,
summary="Unassign Issue",
description="""
Remove agent/human assignment from an issue.
**Authentication**: Required (Bearer token)
**Authorization**: Project owner or superuser
This clears both agent and human assignee fields.
**Rate Limit**: 60 requests/minute
""",
operation_id="unassign_issue",
)
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def unassign_issue(
request: Request,
project_id: UUID,
issue_id: UUID,
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
) -> Any:
"""
Remove assignment from an issue.
Clears both assigned_agent_id and human_assignee fields.
"""
# Verify project access
await verify_project_ownership(db, project_id, current_user)
# Get existing issue
issue = await issue_crud.get(db, id=issue_id)
if not issue:
raise NotFoundError(
message=f"Issue {issue_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
# Verify issue belongs to project (IDOR prevention)
if issue.project_id != project_id:
raise NotFoundError(
message=f"Issue {issue_id} not found in project {project_id}",
error_code=ErrorCode.NOT_FOUND,
)
# Unassign the issue
updated_issue = await issue_crud.unassign(db, issue_id=issue_id)
if not updated_issue:
raise NotFoundError(
message=f"Issue {issue_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
logger.info(f"User {current_user.email} unassigned issue {issue_id}")
# Get full details for response
issue_data = await issue_crud.get_with_details(db, issue_id=issue_id)
return _build_issue_response(
updated_issue,
project_name=issue_data.get("project_name") if issue_data else None,
project_slug=issue_data.get("project_slug") if issue_data else None,
sprint_name=issue_data.get("sprint_name") if issue_data else None,
assigned_agent_type_name=issue_data.get("assigned_agent_type_name")
if issue_data
else None,
)
# ===== Issue Sync Endpoint =====

60
backend/app/api/routes/projects.py
View File

@@ -7,6 +7,7 @@ Users can create, read, update, and manage the lifecycle of their projects.
"""
import logging
import os
from typing import Any
from uuid import UUID
@@ -22,6 +23,7 @@ from app.core.exceptions import (
DuplicateError,
ErrorCode,
NotFoundError,
ValidationException,
)
from app.crud.syndarix.project import project as project_crud
from app.models.syndarix.enums import ProjectStatus
@@ -44,6 +46,10 @@ logger = logging.getLogger(__name__)
# Initialize rate limiter
limiter = Limiter(key_func=get_remote_address)
# Use higher rate limits in test environment
IS_TEST = os.getenv("IS_TEST", "False") == "True"
RATE_MULTIPLIER = 100 if IS_TEST else 1
def _build_project_response(project_data: dict[str, Any]) -> ProjectResponse:
"""
@@ -111,7 +117,7 @@ def _check_project_ownership(project: Any, current_user: User) -> None:
""",
operation_id="create_project",
)
@limiter.limit("10/minute")
@limiter.limit(f"{10 * RATE_MULTIPLIER}/minute")
async def create_project(
request: Request,
project_in: ProjectCreate,
@@ -184,7 +190,7 @@ async def create_project(
""",
operation_id="list_projects",
)
@limiter.limit("30/minute")
@limiter.limit(f"{30 * RATE_MULTIPLIER}/minute")
async def list_projects(
request: Request,
pagination: PaginationParams = Depends(),
@@ -247,7 +253,7 @@ async def list_projects(
""",
operation_id="get_project",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def get_project(
request: Request,
project_id: UUID,
@@ -293,7 +299,7 @@ async def get_project(
""",
operation_id="get_project_by_slug",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def get_project_by_slug(
request: Request,
slug: str,
@@ -348,7 +354,7 @@ async def get_project_by_slug(
""",
operation_id="update_project",
)
@limiter.limit("20/minute")
@limiter.limit(f"{20 * RATE_MULTIPLIER}/minute")
async def update_project(
request: Request,
project_id: UUID,
@@ -422,7 +428,7 @@ async def update_project(
""",
operation_id="archive_project",
)
@limiter.limit("10/minute")
@limiter.limit(f"{10 * RATE_MULTIPLIER}/minute")
async def archive_project(
request: Request,
project_id: UUID,
@@ -493,7 +499,7 @@ async def archive_project(
""",
operation_id="pause_project",
)
@limiter.limit("10/minute")
@limiter.limit(f"{10 * RATE_MULTIPLIER}/minute")
async def pause_project(
request: Request,
project_id: UUID,
@@ -516,23 +522,26 @@ async def pause_project(
_check_project_ownership(project, current_user)
# Validate current status
# Validate current status (business logic validation, not authorization)
if project.status == ProjectStatus.PAUSED:
raise AuthorizationError(
raise ValidationException(
message="Project is already paused",
error_code=ErrorCode.OPERATION_FORBIDDEN,
error_code=ErrorCode.VALIDATION_ERROR,
field="status",
)
if project.status == ProjectStatus.ARCHIVED:
raise AuthorizationError(
raise ValidationException(
message="Cannot pause an archived project",
error_code=ErrorCode.OPERATION_FORBIDDEN,
error_code=ErrorCode.VALIDATION_ERROR,
field="status",
)
if project.status == ProjectStatus.COMPLETED:
raise AuthorizationError(
raise ValidationException(
message="Cannot pause a completed project",
error_code=ErrorCode.OPERATION_FORBIDDEN,
error_code=ErrorCode.VALIDATION_ERROR,
field="status",
)
# Update status to PAUSED
@@ -552,7 +561,7 @@ async def pause_project(
return _build_project_response(project_data)
except (NotFoundError, AuthorizationError):
except (NotFoundError, AuthorizationError, ValidationException):
raise
except Exception as e:
logger.error(f"Error pausing project {project_id}: {e!s}", exc_info=True)
@@ -573,7 +582,7 @@ async def pause_project(
""",
operation_id="resume_project",
)
@limiter.limit("10/minute")
@limiter.limit(f"{10 * RATE_MULTIPLIER}/minute")
async def resume_project(
request: Request,
project_id: UUID,
@@ -596,23 +605,26 @@ async def resume_project(
_check_project_ownership(project, current_user)
# Validate current status
# Validate current status (business logic validation, not authorization)
if project.status == ProjectStatus.ACTIVE:
raise AuthorizationError(
raise ValidationException(
message="Project is already active",
error_code=ErrorCode.OPERATION_FORBIDDEN,
error_code=ErrorCode.VALIDATION_ERROR,
field="status",
)
if project.status == ProjectStatus.ARCHIVED:
raise AuthorizationError(
raise ValidationException(
message="Cannot resume an archived project",
error_code=ErrorCode.OPERATION_FORBIDDEN,
error_code=ErrorCode.VALIDATION_ERROR,
field="status",
)
if project.status == ProjectStatus.COMPLETED:
raise AuthorizationError(
raise ValidationException(
message="Cannot resume a completed project",
error_code=ErrorCode.OPERATION_FORBIDDEN,
error_code=ErrorCode.VALIDATION_ERROR,
field="status",
)
# Update status to ACTIVE
@@ -632,7 +644,7 @@ async def resume_project(
return _build_project_response(project_data)
except (NotFoundError, AuthorizationError):
except (NotFoundError, AuthorizationError, ValidationException):
raise
except Exception as e:
logger.error(f"Error resuming project {project_id}: {e!s}", exc_info=True)

274
backend/app/api/routes/sprints.py
View File

@@ -7,6 +7,7 @@ All endpoints are scoped to a specific project for proper access control.
"""
import logging
import os
from typing import Any
from uuid import UUID
@@ -37,6 +38,7 @@ from app.schemas.common import (
from app.schemas.errors import ErrorCode
from app.schemas.syndarix import (
IssueResponse,
IssueStatus,
SprintComplete,
SprintCreate,
SprintResponse,
@@ -51,6 +53,10 @@ logger = logging.getLogger(__name__)
router = APIRouter()
limiter = Limiter(key_func=get_remote_address)
# Use higher rate limits in test environment
IS_TEST = os.getenv("IS_TEST", "False") == "True"
RATE_MULTIPLIER = 100 if IS_TEST else 1
# ============================================================================
# Helper Functions
@@ -195,7 +201,7 @@ def build_sprint_response(
""",
operation_id="create_sprint",
)
@limiter.limit("30/minute")
@limiter.limit(f"{30 * RATE_MULTIPLIER}/minute")
async def create_sprint(
request: Request,
project_id: UUID,
@@ -258,7 +264,7 @@ async def create_sprint(
""",
operation_id="list_sprints",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def list_sprints(
request: Request,
project_id: UUID,
@@ -334,7 +340,7 @@ async def list_sprints(
""",
operation_id="get_active_sprint",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def get_active_sprint(
request: Request,
project_id: UUID,
@@ -394,7 +400,7 @@ async def get_active_sprint(
""",
operation_id="get_sprint",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def get_sprint(
request: Request,
project_id: UUID,
@@ -455,7 +461,7 @@ async def get_sprint(
""",
operation_id="update_sprint",
)
@limiter.limit("30/minute")
@limiter.limit(f"{30 * RATE_MULTIPLIER}/minute")
async def update_sprint(
request: Request,
project_id: UUID,
@@ -541,7 +547,7 @@ async def update_sprint(
""",
operation_id="start_sprint",
)
@limiter.limit("10/minute")
@limiter.limit(f"{10 * RATE_MULTIPLIER}/minute")
async def start_sprint(
request: Request,
project_id: UUID,
@@ -623,7 +629,7 @@ async def start_sprint(
""",
operation_id="complete_sprint",
)
@limiter.limit("10/minute")
@limiter.limit(f"{10 * RATE_MULTIPLIER}/minute")
async def complete_sprint(
request: Request,
project_id: UUID,
@@ -683,6 +689,162 @@ async def complete_sprint(
raise
@router.post(
"/{sprint_id}/cancel",
response_model=SprintResponse,
summary="Cancel Sprint",
description="""
Cancel a planned or active sprint.
**Authentication**: Required (Bearer token)
**Authorization**: Project owner or superuser
**Business Rules**:
- Only PLANNED or ACTIVE sprints can be cancelled
- Issues in the sprint are NOT automatically removed
- Cancelled sprints cannot be reactivated
**Rate Limit**: 10 requests/minute
""",
operation_id="cancel_sprint",
)
@limiter.limit(f"{10 * RATE_MULTIPLIER}/minute")
async def cancel_sprint(
request: Request,
project_id: UUID,
sprint_id: UUID,
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
) -> Any:
"""
Cancel a sprint.
Cancellation is useful when a sprint needs to be abandoned.
Issues remain in the sprint but can be moved to other sprints.
"""
# Verify project access
await verify_project_ownership(db, project_id, current_user)
# Verify sprint exists and belongs to project
await get_sprint_or_404(db, sprint_id, project_id)
try:
cancelled_sprint = await sprint_crud.cancel_sprint(db, sprint_id=sprint_id)
if not cancelled_sprint:
raise NotFoundError(
message=f"Sprint {sprint_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
logger.info(
f"User {current_user.id} cancelled sprint '{cancelled_sprint.name}' "
f"(ID: {sprint_id}) in project {project_id}"
)
# Get updated details
details = await sprint_crud.get_with_details(db, sprint_id=sprint_id)
if details:
return build_sprint_response(
sprint=details["sprint"],
issue_count=details["issue_count"],
open_issues=details["open_issues"],
completed_issues=details["completed_issues"],
project_name=details["project_name"],
project_slug=details["project_slug"],
)
return build_sprint_response(cancelled_sprint)
except ValueError as e:
logger.warning(f"Failed to cancel sprint {sprint_id}: {e}")
raise ValidationException(
message=str(e),
error_code=ErrorCode.OPERATION_FORBIDDEN,
)
except Exception as e:
logger.error(f"Error cancelling sprint {sprint_id}: {e!s}", exc_info=True)
raise
@router.delete(
"/{sprint_id}",
response_model=MessageResponse,
summary="Delete Sprint",
description="""
Delete a sprint permanently.
**Authentication**: Required (Bearer token)
**Authorization**: Project owner or superuser
**Business Rules**:
- Only PLANNED or CANCELLED sprints can be deleted
- ACTIVE or COMPLETED sprints must be cancelled first
- Issues in the sprint will have their sprint_id set to NULL
**Rate Limit**: 10 requests/minute
""",
operation_id="delete_sprint",
)
@limiter.limit(f"{10 * RATE_MULTIPLIER}/minute")
async def delete_sprint(
request: Request,
project_id: UUID,
sprint_id: UUID,
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
) -> Any:
"""
Delete a sprint permanently.
Only PLANNED or CANCELLED sprints can be deleted to preserve
historical data for completed sprints.
"""
# Verify project access
await verify_project_ownership(db, project_id, current_user)
# Verify sprint exists and belongs to project
sprint = await get_sprint_or_404(db, sprint_id, project_id)
# Business rule: Only PLANNED or CANCELLED sprints can be deleted
if sprint.status not in [SprintStatus.PLANNED, SprintStatus.CANCELLED]:
raise ValidationException(
message=f"Cannot delete sprint with status '{sprint.status.value}'. "
f"Only PLANNED or CANCELLED sprints can be deleted.",
error_code=ErrorCode.OPERATION_FORBIDDEN,
field="status",
)
try:
# Remove sprint assignment from all issues first
await issue_crud.remove_sprint_from_issues(db, sprint_id=sprint_id)
# Delete the sprint
deleted = await sprint_crud.remove(db, id=sprint_id)
if not deleted:
raise NotFoundError(
message=f"Sprint {sprint_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
logger.info(
f"User {current_user.id} deleted sprint '{sprint.name}' "
f"(ID: {sprint_id}) from project {project_id}"
)
return MessageResponse(
success=True,
message=f"Sprint '{sprint.name}' has been deleted.",
)
except (NotFoundError, ValidationException):
raise
except Exception as e:
logger.error(f"Error deleting sprint {sprint_id}: {e!s}", exc_info=True)
raise
# ============================================================================
# Sprint Issues Endpoints
# ============================================================================
@@ -704,7 +866,7 @@ async def complete_sprint(
""",
operation_id="get_sprint_issues",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def get_sprint_issues(
request: Request,
project_id: UUID,
@@ -798,7 +960,7 @@ async def get_sprint_issues(
""",
operation_id="add_issue_to_sprint",
)
@limiter.limit("30/minute")
@limiter.limit(f"{30 * RATE_MULTIPLIER}/minute")
async def add_issue_to_sprint(
request: Request,
project_id: UUID,
@@ -839,6 +1001,18 @@ async def add_issue_to_sprint(
error_code=ErrorCode.VALIDATION_ERROR,
)
# Business rule: Cannot add closed issues to active/planned sprints
if issue.status == IssueStatus.CLOSED and sprint.status in [
SprintStatus.PLANNED,
SprintStatus.ACTIVE,
]:
raise ValidationException(
message="Cannot add closed issues to planned or active sprints. "
"Reopen the issue first or use a different sprint.",
error_code=ErrorCode.VALIDATION_ERROR,
field="issue_id",
)
try:
# Update the issue's sprint_id
from app.schemas.syndarix import IssueUpdate
@@ -864,6 +1038,86 @@ async def add_issue_to_sprint(
raise
@router.delete(
"/{sprint_id}/issues",
response_model=MessageResponse,
summary="Remove Issue from Sprint",
description="""
Remove an issue from a sprint.
**Authentication**: Required (Bearer token)
**Authorization**: Project owner or superuser
**Business Rules**:
- Issue must currently be in this sprint
- Cannot modify COMPLETED sprints (use cancel first)
**Rate Limit**: 30 requests/minute
""",
operation_id="remove_issue_from_sprint",
)
@limiter.limit(f"{30 * RATE_MULTIPLIER}/minute")
async def remove_issue_from_sprint(
request: Request,
project_id: UUID,
sprint_id: UUID,
issue_id: UUID = Query(..., description="ID of the issue to remove from the sprint"),
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
) -> Any:
"""
Remove an issue from the sprint.
The issue's sprint_id will be set to NULL.
"""
# Verify project access
await verify_project_ownership(db, project_id, current_user)
# Verify sprint exists and belongs to project
sprint = await get_sprint_or_404(db, sprint_id, project_id)
# Business rule: Cannot modify completed sprints
if sprint.status == SprintStatus.COMPLETED:
raise ValidationException(
message="Cannot remove issues from a completed sprint. Cancel the sprint first.",
error_code=ErrorCode.OPERATION_FORBIDDEN,
)
# Verify issue exists and is in this sprint
issue = await issue_crud.get(db, id=issue_id)
if not issue:
raise NotFoundError(
message=f"Issue {issue_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
if issue.sprint_id != sprint_id:
raise ValidationException(
message=f"Issue is not in sprint '{sprint.name}'",
error_code=ErrorCode.VALIDATION_ERROR,
)
try:
# Remove the issue from sprint
await issue_crud.remove_from_sprint(db, issue_id=issue_id)
logger.info(
f"User {current_user.id} removed issue {issue_id} from sprint {sprint_id}"
)
return MessageResponse(
success=True,
message=f"Issue '{issue.title}' removed from sprint '{sprint.name}'",
)
except Exception as e:
logger.error(
f"Error removing issue {issue_id} from sprint {sprint_id}: {e!s}",
exc_info=True,
)
raise
# ============================================================================
# Sprint Metrics Endpoints
# ============================================================================
@@ -886,7 +1140,7 @@ async def add_issue_to_sprint(
""",
operation_id="get_project_velocity",
)
@limiter.limit("60/minute")
@limiter.limit(f"{60 * RATE_MULTIPLIER}/minute")
async def get_project_velocity(
request: Request,
project_id: UUID,