feat: Member permissions, optional phone, public users endpoint

- Allow members to create todos, companies, projects
- Auto-assign creator to resources (companyUsers, projectUsers, todoUsers)
- Add public /api/users endpoint for all authenticated users
- Make phone field optional in personal contacts (schema + validation)
- Update todo routes to use checkTodoAccess for updates

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/app.js

@@ -28,6 +28,7 @@ import noteRoutes from './routes/note.routes.js';
 import auditRoutes from './routes/audit.routes.js';
 import eventRoutes from './routes/event.routes.js';
 import messageRoutes from './routes/message.routes.js';
+import userRoutes from './routes/user.routes.js';
 
 const app = express();
 
@@ -122,6 +123,7 @@ app.use('/api/notes', noteRoutes);
 app.use('/api/audit-logs', auditRoutes);
 app.use('/api/events', eventRoutes);
 app.use('/api/messages', messageRoutes);
+app.use('/api/users', userRoutes);
 
 // Basic route
 app.get('/', (req, res) => {

src/db/schema.js

@@ -87,7 +87,7 @@ export const personalContacts = pgTable('personal_contacts', {
   companyId: uuid('company_id').references(() => companies.id, { onDelete: 'set null' }), // voliteľná väzba na firmu
   firstName: text('first_name').notNull(),
   lastName: text('last_name'),
-  phone: text('phone').notNull(),
+  phone: text('phone'), // optional
   email: text('email').notNull(),
   secondaryEmail: text('secondary_email'),
   description: text('description'), // popis kontaktu

src/routes/company.routes.js

@@ -44,10 +44,9 @@ router.get(
   companyController.getCompanyById
 );
 
-// Create new company (admin only)
+// Create new company (any authenticated user)
 router.post(
   '/',
-  requireAdmin,
   validateBody(createCompanySchema),
   companyController.createCompany
 );

src/routes/personal-contact.routes.js

@@ -9,7 +9,7 @@ const router = express.Router()
 const createContactSchema = z.object({
   firstName: z.string().min(1, 'Meno je povinné'),
   lastName: z.string().optional(),
-  phone: z.string().min(3, 'Telefón je povinný'),
+  phone: z.string().optional().nullable(),
   email: z.string().email('Neplatný email'),
   secondaryEmail: z.union([z.string().email('Neplatný email'), z.literal('')]).optional(),
   companyId: z.union([z.string().uuid(), z.literal(''), z.null()]).optional(),

src/routes/project.routes.js

@@ -27,10 +27,9 @@ router.get(
   projectController.getProjectById
 );
 
-// Create new project (admin only)
+// Create new project (any authenticated user)
 router.post(
   '/',
-  requireAdmin,
   validateBody(createProjectSchema),
   projectController.createProject
 );

src/routes/todo.routes.js

@@ -27,19 +27,18 @@ router.get(
   todoController.getTodoById
 );
 
-// Create new todo (admin only)
+// Create new todo (any authenticated user)
 router.post(
   '/',
-  requireAdmin,
   validateBody(createTodoSchema),
   todoController.createTodo
 );
 
-// Update todo (admin only)
+// Update todo (user must have access to the todo)
 router.patch(
   '/:todoId',
-  requireAdmin,
   validateParams(z.object({ todoId: z.string().uuid() })),
+  checkTodoAccess,
   validateBody(updateTodoSchema),
   todoController.updateTodo
 );

src/routes/user.routes.js

@@ -0,0 +1,34 @@
+import express from 'express';
+import { authenticate } from '../middlewares/auth/authMiddleware.js';
+import { db } from '../config/database.js';
+import { users } from '../db/schema.js';
+
+const router = express.Router();
+
+// All user routes require authentication
+router.use(authenticate);
+
+/**
+ * Get all users (basic info only - for dropdowns, assignment, etc.)
+ * Available to all authenticated users
+ */
+router.get('/', async (req, res, next) => {
+  try {
+    const allUsers = await db
+      .select({
+        id: users.id,
+        username: users.username,
+        firstName: users.firstName,
+        lastName: users.lastName,
+        role: users.role,
+      })
+      .from(users)
+      .orderBy(users.username);
+
+    res.json(allUsers);
+  } catch (error) {
+    next(error);
+  }
+});
+
+export default router;

src/services/company.service.js

@@ -139,6 +139,14 @@ export const createCompany = async (userId, data) => {
     })
     .returning();
 
+  // Auto-assign the creator to the company so they can access it
+  await db.insert(companyUsers).values({
+    companyId: newCompany.id,
+    userId: userId,
+    role: 'creator',
+    addedBy: userId,
+  });
+
   return newCompany;
 };
 

src/services/personal-contact.service.js

@@ -67,7 +67,7 @@ export const createPersonalContact = async (userId, contact) => {
       companyId: contact.companyId || null,
       firstName: contact.firstName,
       lastName: contact.lastName || null,
-      phone: contact.phone,
+      phone: contact.phone || null,
       email: contact.email,
       secondaryEmail: contact.secondaryEmail || null,
       description: contact.description || null,

src/services/project.service.js

@@ -138,6 +138,14 @@ export const createProject = async (userId, data) => {
     })
     .returning();
 
+  // Auto-assign the creator to the project so they can access it
+  await db.insert(projectUsers).values({
+    projectId: newProject.id,
+    userId: userId,
+    role: 'creator',
+    addedBy: userId,
+  });
+
   return newProject;
 };
 

src/services/todo.service.js

@@ -207,6 +207,16 @@ export const createTodo = async (userId, data) => {
     await db.insert(todoUsers).values(todoUserInserts);
   }
 
+  // Auto-assign the creator to the todo so they can access it (if not already assigned)
+  const creatorAlreadyAssigned = assignedUserIds && assignedUserIds.includes(userId);
+  if (!creatorAlreadyAssigned) {
+    await db.insert(todoUsers).values({
+      todoId: newTodo.id,
+      userId: userId,
+      assignedBy: userId,
+    });
+  }
+
   return newTodo;
 };