Merge pull request #37 from markrai/feature/notifications

todo dialog roles for role: viewers to disable restricted items + key…

Author: markrai

CHANGELOG.md

@@ -3,6 +3,20 @@
 > **Upgrades:** No breaking changes in **3.7.x** / **3.8.x** / **3.9.x** / **3.10.x** / **3.11.x** unless noted below.
 
 
+## [3.11.1] - 2026-04-04
+
+### Fixes
+
+- **Project list** — Invited users now see **authenticated** temporary boards (with a creator) they belong to via **`project_members`**. The membership branch does not apply when **`creator_user_id`** is null, so anonymous paste boards never appear from stray membership rows alone.
+- **Todo dialog (roles)** — **Viewers:** read-only title, status, body, links; Save off; “View Todo” when nothing to save. **Contributors:** title and status locked (body-only when assigned, same as API). Submit handler checks permissions; viewers no longer enter bulk-select via Ctrl/Cmd+click on cards.
+
+### Other
+
+- **Keycloak (local dev)** — `docs/keycloak/realm-scrumboy-local.json` import + `docs/keycloak/README.md` (issuer env, public-client secret placeholder).
+- **Tests** — `internal/store/list_projects_test.go` for temp-board listing.
+
+---
+
 ## [3.11.0] - 2026-04-04
 
 ### Features

README.md

@@ -1,7 +1,7 @@
 <p align="center">
   <img width="372" src="internal/httpapi/web/githublogo.png" alt="scrumboy logo" />
   <br />
-  <img src="https://img.shields.io/badge/version-v3.11.0-blue" alt="version" />
+  <img src="https://img.shields.io/badge/version-v3.11.1-blue" alt="version" />
   <a href="LICENSE">
     <img src="https://img.shields.io/badge/license-AGPL--v3-orange" alt="license" />
   </a>

docs/keycloak/README.md

@@ -0,0 +1,52 @@
+# Keycloak realm (local development)
+
+This directory contains a **realm export** for running Scrumboy against a local Keycloak instance.
+
+## File
+
+- [`realm-scrumboy-local.json`](realm-scrumboy-local.json) — realm **`scrumboy`**, public OIDC client **`scrumboy`**, test user **`test`** / **`test`**, redirect URIs for Scrumboy on **localhost:8080**.
+
+## Import
+
+Stop Keycloak, then (paths may vary):
+
+```sh
+/opt/keycloak/bin/kc.sh import --file /path/to/realm-scrumboy-local.json
+```
+
+Or copy the file into Keycloak’s import directory and start with `--import-realm` per [Keycloak import/export](https://www.keycloak.org/server/importExport).
+
+After import, the **issuer** (no `/auth` prefix on modern Keycloak) is:
+
+```text
+http://<keycloak-host>:<port>/realms/scrumboy
+```
+
+Example if Keycloak listens on **8180**:
+
+```sh
+SCRUMBOY_OIDC_ISSUER=http://localhost:8180/realms/scrumboy
+SCRUMBOY_OIDC_CLIENT_ID=scrumboy
+SCRUMBOY_OIDC_CLIENT_SECRET=dev-public-client-placeholder
+SCRUMBOY_OIDC_REDIRECT_URL=http://localhost:8080/api/auth/oidc/callback
+```
+
+Scrumboy’s config requires **all four** variables and a **non-empty** `SCRUMBOY_OIDC_CLIENT_SECRET` string. For this **public** Keycloak client, the token endpoint uses **PKCE**; use any non-empty placeholder secret in Scrumboy’s env (Keycloak ignores it for public clients).
+
+Ensure the **redirect URL** matches what is registered in the client (**`…/*`** in the realm file covers `/api/auth/oidc/callback`).
+
+## Test user
+
+| Field    | Value            |
+|----------|------------------|
+| Username | `test`           |
+| Password | `test`           |
+| Email    | `test@example.com` |
+
+`emailVerified` is **true** so Scrumboy accepts the ID token (`email_verified` requirement).
+
+## Security note
+
+This realm is for **local development** only (`sslRequired: none`, known test password). Do not import as-is into production.
+
+For more on Scrumboy OIDC behavior, see [OIDC.md](../OIDC.md).

docs/keycloak/realm-scrumboy-local.json

@@ -0,0 +1,155 @@
+{
+  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
+  "realm": "scrumboy",
+  "displayName": "Scrumboy (local dev)",
+  "enabled": true,
+  "sslRequired": "none",
+  "registrationAllowed": false,
+  "registrationEmailAsUsername": false,
+  "rememberMe": true,
+  "verifyEmail": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "resetPasswordAllowed": true,
+  "editUsernameAllowed": false,
+  "bruteForceProtected": true,
+  "failureFactor": 5,
+  "defaultSignatureAlgorithm": "RS256",
+  "accessTokenLifespan": 300,
+  "ssoSessionIdleTimeout": 1800,
+  "ssoSessionMaxLifespan": 36000,
+  "accessCodeLifespan": 60,
+  "accessCodeLifespanUserAction": 300,
+  "accessCodeLifespanLogin": 1800,
+  "browserFlow": "browser",
+  "registrationFlow": "registration",
+  "directGrantFlow": "direct grant",
+  "resetCredentialsFlow": "reset credentials",
+  "clientAuthenticationFlow": "clients",
+  "dockerAuthenticationFlow": "docker auth",
+  "firstBrokerLoginFlow": "first broker login",
+  "attributes": {
+    "cibaBackchannelTokenDeliveryMode": "poll",
+    "cibaExpiresIn": "120",
+    "cibaAuthRequestedUserHint": "login_hint",
+    "parRequestUriLifespan": "60"
+  },
+  "browserSecurityHeaders": {
+    "contentSecurityPolicyReportOnly": "",
+    "xContentTypeOptions": "nosniff",
+    "referrerPolicy": "no-referrer",
+    "xRobotsTag": "none",
+    "xFrameOptions": "SAMEORIGIN",
+    "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+    "strictTransportSecurity": "max-age=31536000; includeSubDomains"
+  },
+  "smtpServer": {},
+  "eventsEnabled": false,
+  "eventsListeners": ["jboss-logging"],
+  "roles": {
+    "realm": [
+      {
+        "id": "b2c3d4e5-f6a7-8901-bcde-f12345678901",
+        "name": "offline_access",
+        "description": "${role_offline-access}",
+        "composite": false,
+        "clientRole": false,
+        "attributes": {}
+      },
+      {
+        "id": "c3d4e5f6-a7b8-9012-cdef-123456789012",
+        "name": "uma_authorization",
+        "description": "${role_uma_authorization}",
+        "composite": false,
+        "clientRole": false,
+        "attributes": {}
+      },
+      {
+        "id": "d4e5f6a7-b8c9-0123-def0-234567890123",
+        "name": "default-roles-scrumboy",
+        "description": "${role_default-roles}",
+        "composite": true,
+        "composites": {
+          "realm": ["offline_access", "uma_authorization"]
+        },
+        "clientRole": false,
+        "attributes": {}
+      }
+    ]
+  },
+  "defaultRole": {
+    "name": "default-roles-scrumboy",
+    "description": "${role_default-roles}",
+    "composite": true,
+    "clientRole": false
+  },
+  "users": [
+    {
+      "username": "test",
+      "enabled": true,
+      "emailVerified": true,
+      "email": "test@example.com",
+      "firstName": "Test",
+      "lastName": "User",
+      "credentials": [
+        {
+          "type": "password",
+          "value": "test",
+          "temporary": false
+        }
+      ],
+      "realmRoles": ["default-roles-scrumboy"]
+    }
+  ],
+  "clients": [
+    {
+      "clientId": "scrumboy",
+      "name": "Scrumboy",
+      "description": "Scrumboy web app (local development)",
+      "rootUrl": "http://localhost:8080",
+      "baseUrl": "http://localhost:8080",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "redirectUris": [
+        "http://localhost:8080/*",
+        "http://127.0.0.1:8080/*"
+      ],
+      "webOrigins": [
+        "http://localhost:8080",
+        "http://127.0.0.1:8080"
+      ],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": true,
+      "protocol": "openid-connect",
+      "attributes": {
+        "post.logout.redirect.uris": "http://localhost:8080/*##http://127.0.0.1:8080/*",
+        "pkce.code.challenge.method": "S256"
+      },
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": -1,
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "profile",
+        "roles",
+        "basic",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+      ]
+    }
+  ]
+}

internal/httpapi/web/app.js

@@ -7,7 +7,7 @@ import { apiFetch } from './dist/api.js';
 import { navigate, router } from './dist/router.js';
 import { getRoute, getProjectId, getBoard, getAuthStatusAvailable, getMobileTab, getSlug, getTag, getSearch, getSprintIdFromUrl, getProjectView, getProjectsTab, getProjects, getSettingsProjectId, getEditingTodo, getAvailableTags, getAutocompleteSuggestion, getAvailableTagsMap, getTagColors, getUser, getSettingsActiveTab, getBackupImportBtn, getBackupData, getBackupPreview, getAuthStatusChecked } from './dist/state/selectors.js';
 import { setProjectId, setBoard, setSlug, setTag, setMobileTab, setProjects, setProjectsTab, setProjectView, setEditingTodo, setAvailableTags, setAvailableTagsMap, setAutocompleteSuggestion, setTagColors, setSettingsProjectId, setSettingsActiveTab, setBackupImportBtn, setBackupData, setBackupPreview } from './dist/state/mutations.js';
-import { openTodoDialog, renderTagsChips, setupTagAutocomplete, removeTag, renderTagAutocomplete, getTagsFromChips, resetAssigneeSelect } from './dist/dialogs/todo.js';
+import { openTodoDialog, renderTagsChips, setupTagAutocomplete, removeTag, renderTagAutocomplete, getTagsFromChips, resetAssigneeSelect, getTodoFormPermissions } from './dist/dialogs/todo.js';
 import { renderSettingsModal, invalidateTagsCache } from './dist/dialogs/settings.js';
 import { initDnD, columnsSpec, dragInProgress, dragJustEnded } from './dist/features/drag-drop.js';
 import { setupContextMenuCloseHandler } from './dist/features/context-menu.js';
@@ -117,6 +117,10 @@ deleteTodoBtn.addEventListener("click", async () => {
 todoForm.addEventListener("submit", async (e) => {
   e.preventDefault();
 
+  if (!getTodoFormPermissions().canSubmitTodo) {
+    return;
+  }
+
   const title = todoTitle.value;
   const body = todoBody.value;
   const tags = getTagsFromChips();

internal/httpapi/web/dist/dialogs/todo.js

@@ -16,7 +16,14 @@ let permissions = {
     canEditNotes: false,
     canEditAssignment: false,
     canDeleteTodo: false,
+    canEditTitle: false,
+    canEditStatus: false,
+    canSubmitTodo: false,
+    canEditLinks: false,
 };
+export function getTodoFormPermissions() {
+    return { ...permissions };
+}
 let linksSearchDebounce = null;
 let linksSearchController = null;
 let lastLoadedLinksForTodo = null;
@@ -514,12 +521,17 @@ function renderLinksChips(slug, currentLocalId, onNavigateToLinkedTodo) {
     const container = document.getElementById("linksChips");
     if (!container)
         return;
-    const outbound = currentLinks.outbound.map((item) => `
+    const outbound = currentLinks.outbound.map((item) => {
+        const removeBtn = permissions.canEditLinks
+            ? `<button type="button" class="tag-chip-remove" data-link-remove="${item.localId}" aria-label="Remove link">×</button>`
+            : "";
+        return `
     <span class="tag-chip" data-link-local-id="${item.localId}" data-link-direction="outbound">
       <button type="button" class="tag-chip-link" data-link-open="${item.localId}">#${item.localId} ${escapeHTML(item.title)}</button>
-      <button type="button" class="tag-chip-remove" data-link-remove="${item.localId}" aria-label="Remove link">×</button>
+      ${removeBtn}
     </span>
-  `).join("");
+  `;
+    }).join("");
     const inbound = currentLinks.inbound.map((item) => `
     <span class="tag-chip" data-link-local-id="${item.localId}" data-link-direction="inbound">
       <button type="button" class="tag-chip-link" data-link-open="${item.localId}">#${item.localId} ${escapeHTML(item.title)}</button>
@@ -591,6 +603,13 @@ function setupLinkedStoriesSearch(slug, currentLocalId, onNavigateToLinkedTodo)
     linkAutocompleteSuggestion = null;
     removeLinksAutocompleteOverlay();
     clearLinkSearchInFlight();
+    if (!permissions.canEditLinks) {
+        input.disabled = true;
+        input.placeholder = "";
+        if (addBtn)
+            addBtn.disabled = true;
+        return;
+    }
     const submitLinkFromInput = async () => {
         const directLocalID = parseLocalIDFromLinkInput(input.value);
         const target = linkAutocompleteSuggestion?.localId ?? directLocalID;
@@ -726,17 +745,29 @@ export async function openTodoDialog(opts) {
     const board = getBoard();
     const anonymousBoard = isAnonymousBoard(board);
     const isMaintainer = (opts.role ?? "") === "maintainer" || anonymousBoard;
+    const roleNorm = (opts.role ?? "").toLowerCase();
+    const isContributor = roleNorm === "contributor" || roleNorm === "editor";
     const currentUser = getUser();
     const isAssignedToMe = currentUser &&
         mode === "edit" &&
         Number(todo?.assigneeUserId) === Number(currentUser.id);
+    const canEditTitle = isMaintainer;
+    const canEditStatus = isMaintainer;
+    const canSubmitTodo = mode === "create"
+        ? isMaintainer || anonymousBoard
+        : isMaintainer || (!anonymousBoard && isContributor && !!isAssignedToMe);
+    const canEditLinks = isMaintainer || (!anonymousBoard && isContributor);
     permissions = {
         canChangeSprint: isMaintainer && !anonymousBoard,
         canChangeEstimation: isMaintainer,
         canEditTags: isMaintainer,
-        canEditNotes: isMaintainer || (!anonymousBoard && opts.role === "contributor" && !!isAssignedToMe),
+        canEditNotes: isMaintainer || (!anonymousBoard && isContributor && !!isAssignedToMe),
         canEditAssignment: isMaintainer && !anonymousBoard,
         canDeleteTodo: isMaintainer,
+        canEditTitle,
+        canEditStatus,
+        canSubmitTodo,
+        canEditLinks,
     };
     // Fetch available tags for autocomplete
     // Authenticated boards: fetch ALL user-owned tags from full library (/api/tags/mine)
@@ -959,7 +990,7 @@ export async function openTodoDialog(opts) {
         setDates(undefined, undefined);
     }
     else {
-        todoDialogTitle.textContent = "Edit Todo";
+        todoDialogTitle.textContent = permissions.canSubmitTodo ? "Edit Todo" : "View Todo";
         todoTitle.value = todo.title || "";
         todoBody.value = todo.body || "";
         todoTags.value = "";
@@ -993,6 +1024,11 @@ export async function openTodoDialog(opts) {
     if (addTagBtn)
         addTagBtn.disabled = !permissions.canEditTags;
     todoBody.readOnly = !permissions.canEditNotes;
+    todoTitle.readOnly = !permissions.canEditTitle;
+    todoStatus.disabled = !permissions.canEditStatus;
+    const saveTodoBtn = document.getElementById("saveTodoBtn");
+    if (saveTodoBtn)
+        saveTodoBtn.disabled = !permissions.canSubmitTodo;
     // 4. Tag chips: clear and re-render so old chips (with "×" from previous maintainer open) are not reused
     const tagsChips = document.getElementById("tagsChips");
     if (tagsChips)
@@ -1022,7 +1058,12 @@ export async function openTodoDialog(opts) {
             return;
         }
         if (mode === "edit") {
-            todoStatus?.focus();
+            if (!permissions.canSubmitTodo) {
+                closeTodoBtn?.focus();
+            }
+            else {
+                todoStatus?.focus();
+            }
         }
         else {
             todoTitle.focus();

internal/httpapi/web/dist/views/board.js

@@ -724,6 +724,11 @@ function attachBoardDelegationHandlers() {
             if (!todo)
                 return;
             if (me.ctrlKey || me.metaKey) {
+                if (currentUserProjectRole === "viewer") {
+                    clearTodoMultiSelection();
+                    openTodoFromCard(todo);
+                    return;
+                }
                 e.preventDefault();
                 e.stopPropagation();
                 toggleTodoSelection(id);