fix(task-auth): allow project members to self-assign unassigned tasks (user role)

Author: Diogo-Ferraz

src/TaskManagement.Api/Features/TaskItems/Commands/Handlers/PatchTaskItemCommandHandler.cs

@@ -60,8 +60,15 @@ public async Task<TaskItemDto> Handle(PatchTaskItemCommand request, Cancellation
             var isProjectOwner = taskItem.Project.OwnerUserId == currentUserId;
             var isAssignee = taskItem.AssignedUserId == currentUserId;
             var canManageAsProjectManager = isProjectManager && (isProjectOwner || isProjectMember);
+            var isSelfAssigningUnassignedTaskOnly = IsSelfAssigningUnassignedTaskOnly(
+                request,
+                currentUserId,
+                taskItem.AssignedUserId,
+                isAdmin,
+                isProjectManager,
+                isProjectMember);
 
-            if (!isAdmin && !canManageAsProjectManager && !isProjectOwner && !isAssignee)
+            if (!isAdmin && !canManageAsProjectManager && !isProjectOwner && !isAssignee && !isSelfAssigningUnassignedTaskOnly)
             {
                 throw new ForbiddenAccessException("User is not authorized to update this task item.");
             }
@@ -188,6 +195,33 @@ public async Task<TaskItemDto> Handle(PatchTaskItemCommand request, Cancellation
             return assignedUserId.Trim();
         }
 
+        private static bool IsSelfAssigningUnassignedTaskOnly(
+            PatchTaskItemCommand request,
+            string currentUserId,
+            string? currentAssignedUserId,
+            bool isAdmin,
+            bool isProjectManager,
+            bool isProjectMember)
+        {
+            if (isAdmin || isProjectManager || !isProjectMember)
+            {
+                return false;
+            }
+
+            if (!request.AssignedUserId.HasValue || !string.IsNullOrWhiteSpace(currentAssignedUserId))
+            {
+                return false;
+            }
+
+            if (request.Title.HasValue || request.Description.HasValue || request.Status.HasValue || request.DueDate.HasValue)
+            {
+                return false;
+            }
+
+            var normalizedRequestedAssignee = NormalizeAssignedUserId(request.AssignedUserId.Value);
+            return string.Equals(normalizedRequestedAssignee, currentUserId, StringComparison.Ordinal);
+        }
+
         private static void EnsureAssignmentChangeAllowedForCurrentUser(
             string currentUserId,
             string? currentAssignedUserId,

src/TaskManagement.Api/Features/TaskItems/Commands/Handlers/UpdateTaskItemCommandHandler.cs

@@ -59,8 +59,15 @@ public async Task<TaskItemDto> Handle(UpdateTaskItemCommand request, Cancellatio
             bool isProjectOwner = taskItem.Project.OwnerUserId == currentUserId;
             bool isAssignee = taskItem.AssignedUserId == currentUserId;
             var canManageAsProjectManager = isProjectManager && (isProjectOwner || isProjectMember);
+            var isSelfAssigningUnassignedTaskOnly = IsSelfAssigningUnassignedTaskOnly(
+                request,
+                taskItem,
+                currentUserId,
+                isAdmin,
+                isProjectManager,
+                isProjectMember);
 
-            if (!isAdmin && !canManageAsProjectManager && !isProjectOwner && !isAssignee)
+            if (!isAdmin && !canManageAsProjectManager && !isProjectOwner && !isAssignee && !isSelfAssigningUnassignedTaskOnly)
             {
                 throw new ForbiddenAccessException("User is not authorized to update this task item.");
             }
@@ -176,6 +183,36 @@ public async Task<TaskItemDto> Handle(UpdateTaskItemCommand request, Cancellatio
             return assignedUserId.Trim();
         }
 
+        private static bool IsSelfAssigningUnassignedTaskOnly(
+            UpdateTaskItemCommand request,
+            TaskItem taskItem,
+            string currentUserId,
+            bool isAdmin,
+            bool isProjectManager,
+            bool isProjectMember)
+        {
+            if (isAdmin || isProjectManager || !isProjectMember)
+            {
+                return false;
+            }
+
+            if (!string.IsNullOrWhiteSpace(taskItem.AssignedUserId))
+            {
+                return false;
+            }
+
+            var normalizedRequestedAssignee = NormalizeAssignedUserId(request.AssignedUserId);
+            if (!string.Equals(normalizedRequestedAssignee, currentUserId, StringComparison.Ordinal))
+            {
+                return false;
+            }
+
+            return string.Equals(request.Title, taskItem.Title, StringComparison.Ordinal)
+                   && string.Equals(request.Description, taskItem.Description, StringComparison.Ordinal)
+                   && request.Status == taskItem.Status
+                   && request.DueDate == taskItem.DueDate;
+        }
+
         private static void EnsureAssignmentChangeAllowedForCurrentUser(
             string currentUserId,
             string? currentAssignedUserId,

tests/TaskManagement.Api.Tests/IntegrationTests/Features/TaskItems/PatchTaskItemEndpointTests.cs

@@ -23,6 +23,7 @@ public class PatchTaskItemEndpointTests : IClassFixture<ApiWebApplicationFactory
 
         private readonly Guid _projectId = Guid.NewGuid();
         private readonly Guid _taskId = Guid.NewGuid();
+        private readonly Guid _unassignedTaskId = Guid.NewGuid();
         private readonly string _ownerUserId = "user-task-patch-owner";
         private readonly string _memberUserId = "user-task-patch-member";
         private readonly string _otherUserId = "user-task-patch-other";
@@ -63,6 +64,15 @@ await _factory.SeedDatabaseAsync(db =>
                     ProjectId = _projectId,
                     AssignedUserId = _memberUserId
                 });
+                db.TaskItems.Add(new TaskItem
+                {
+                    Id = _unassignedTaskId,
+                    Title = "Unassigned Task",
+                    Description = "No assignee yet",
+                    Status = TaskStatus.Todo,
+                    ProjectId = _projectId,
+                    AssignedUserId = null
+                });
                 return Task.CompletedTask;
             });
         }
@@ -188,6 +198,35 @@ public async Task PatchTaskItem_WhenUserAssignsTaskToAnotherUser_ShouldReturnFor
             response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         }
 
+        [Fact]
+        public async Task PatchTaskItem_WhenProjectMemberSelfAssignsUnassignedTask_ShouldReturnOk()
+        {
+            SetAuthenticatedUser(_memberUserId);
+            var command = new PatchTaskItemCommand { AssignedUserId = _memberUserId };
+
+            var response = await _client.PatchAsJsonAsync($"/api/taskitems/{_unassignedTaskId}", command);
+
+            response.StatusCode.Should().Be(HttpStatusCode.OK);
+            var dto = await response.Content.ReadFromJsonAsync<TaskItemDto>();
+            dto.Should().NotBeNull();
+            dto!.AssignedUserId.Should().Be(_memberUserId);
+        }
+
+        [Fact]
+        public async Task PatchTaskItem_WhenProjectMemberSelfAssignsUnassignedTaskAndChangesOtherFields_ShouldReturnForbidden()
+        {
+            SetAuthenticatedUser(_memberUserId);
+            var command = new PatchTaskItemCommand
+            {
+                AssignedUserId = _memberUserId,
+                Title = "Should not be allowed"
+            };
+
+            var response = await _client.PatchAsJsonAsync($"/api/taskitems/{_unassignedTaskId}", command);
+
+            response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        }
+
         private void SetAuthenticatedUser(string userId, string? roles = null)
         {
             _client.DefaultRequestHeaders.Remove(TestAuthenticationHandler.TestUserIdHeader);