From 929d0b461f848b7f5dda3bf244c1a56d20bb179c Mon Sep 17 00:00:00 2001
From: richardtekula <barspin4499@gmail.com>
Date: Mon, 26 Jan 2026 11:41:36 +0100
Subject: [PATCH] fix: Allow project team members to update projects, handle
 empty companyId

- Relax project PATCH route from requireAdmin to checkProjectAccess
- Normalize empty string companyId to null in updateProject service to prevent UUID parse error

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 src/routes/project.routes.js    | 4 ++--
 src/services/project.service.js | 9 ++++++---
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/routes/project.routes.js b/src/routes/project.routes.js
index 22c205e..dd118d8 100644
--- a/src/routes/project.routes.js
+++ b/src/routes/project.routes.js
@@ -44,10 +44,10 @@ router.post(
   projectController.createProject
 );
 
-// Update project (admin only)
+// Update project (team members and admins)
 router.patch(
   '/:projectId',
-  requireAdmin,
+  checkProjectAccess,
   validateParams(z.object({ projectId: z.string().uuid() })),
   validateBody(updateProjectSchema),
   projectController.updateProject
diff --git a/src/services/project.service.js b/src/services/project.service.js
index 21e158c..f4b37ef 100644
--- a/src/services/project.service.js
+++ b/src/services/project.service.js
@@ -157,12 +157,15 @@ export const updateProject = async (projectId, data) => {
 
   const { name, description, companyId, status, startDate, endDate } = data;
 
+  // Treat empty string companyId as null (no company)
+  const resolvedCompanyId = companyId === '' ? null : companyId;
+
   // If companyId is being changed, verify new company exists
-  if (companyId !== undefined && companyId !== null && companyId !== project.companyId) {
+  if (resolvedCompanyId !== undefined && resolvedCompanyId !== null && resolvedCompanyId !== project.companyId) {
     const [company] = await db
       .select()
       .from(companies)
-      .where(eq(companies.id, companyId))
+      .where(eq(companies.id, resolvedCompanyId))
       .limit(1);
 
     if (!company) {
@@ -175,7 +178,7 @@ export const updateProject = async (projectId, data) => {
     .set({
       name: name !== undefined ? name : project.name,
       description: description !== undefined ? description : project.description,
-      companyId: companyId !== undefined ? companyId : project.companyId,
+      companyId: resolvedCompanyId !== undefined ? resolvedCompanyId : project.companyId,
       status: status !== undefined ? status : project.status,
       startDate: startDate !== undefined ? (startDate ? new Date(startDate) : null) : project.startDate,
       endDate: endDate !== undefined ? (endDate ? new Date(endDate) : null) : project.endDate,