feat(taskitems): enforce non-project-manager assignee rule across create/update/patch with role-aware validation

Author: Diogo-Ferraz

src/TaskManagement.Api/Features/TaskItems/Commands/Handlers/CreateTaskItemCommandHandler.cs

@@ -77,6 +77,7 @@ public async Task<TaskItemDto> Handle(CreateTaskItemCommand request, Cancellatio
                     });
                 }
 
+                await EnsureAssignableUserRoleAsync(assignedUserId, nameof(request.AssignedUserId), cancellationToken);
                 EnsureProjectMember(_dbContext, project, assignedUserId, currentUserId);
             }
 
@@ -110,6 +111,20 @@ public async Task<TaskItemDto> Handle(CreateTaskItemCommand request, Cancellatio
             return assignedUserId.Trim();
         }
 
+        private async Task EnsureAssignableUserRoleAsync(string assignedUserId, string propertyName, CancellationToken cancellationToken)
+        {
+            var userSummary = await _userDirectoryService.GetUserSummaryAsync(assignedUserId, cancellationToken);
+            var roles = userSummary?.Roles ?? Array.Empty<string>();
+
+            if (roles.Contains(Roles.ProjectManager))
+            {
+                throw new ValidationException(new[]
+                {
+                    new ValidationFailure(propertyName, "Assigned user cannot have ProjectManager role.")
+                });
+            }
+        }
+
         private static void EnsureProjectMember(
             TaskManagementDbContext dbContext,
             Projects.Models.Project project,

src/TaskManagement.Api/Features/TaskItems/Commands/Handlers/PatchTaskItemCommandHandler.cs

@@ -89,6 +89,7 @@ public async Task<TaskItemDto> Handle(PatchTaskItemCommand request, Cancellation
                         });
                     }
 
+                    await EnsureAssignableUserRoleAsync(normalizedAssignedUserId, nameof(request.AssignedUserId), cancellationToken);
                     EnsureProjectMember(_dbContext, taskItem.Project, normalizedAssignedUserId, currentUserId);
                     taskItem.AssignedUserId = normalizedAssignedUserId;
                 }
@@ -179,6 +180,20 @@ public async Task<TaskItemDto> Handle(PatchTaskItemCommand request, Cancellation
             return assignedUserId.Trim();
         }
 
+        private async Task EnsureAssignableUserRoleAsync(string assignedUserId, string propertyName, CancellationToken cancellationToken)
+        {
+            var userSummary = await _userDirectoryService.GetUserSummaryAsync(assignedUserId, cancellationToken);
+            var roles = userSummary?.Roles ?? Array.Empty<string>();
+
+            if (roles.Contains(Roles.ProjectManager))
+            {
+                throw new ValidationException(new[]
+                {
+                    new ValidationFailure(propertyName, "Assigned user cannot have ProjectManager role.")
+                });
+            }
+        }
+
         private static void EnsureProjectMember(
             TaskManagementDbContext dbContext,
             Projects.Models.Project project,

src/TaskManagement.Api/Features/TaskItems/Commands/Handlers/UpdateTaskItemCommandHandler.cs

@@ -76,6 +76,7 @@ public async Task<TaskItemDto> Handle(UpdateTaskItemCommand request, Cancellatio
                     });
                 }
 
+                await EnsureAssignableUserRoleAsync(assignedUserId, nameof(request.AssignedUserId), cancellationToken);
                 EnsureProjectMember(_dbContext, taskItem.Project, assignedUserId, currentUserId);
             }
 
@@ -172,6 +173,20 @@ public async Task<TaskItemDto> Handle(UpdateTaskItemCommand request, Cancellatio
             return assignedUserId.Trim();
         }
 
+        private async Task EnsureAssignableUserRoleAsync(string assignedUserId, string propertyName, CancellationToken cancellationToken)
+        {
+            var userSummary = await _userDirectoryService.GetUserSummaryAsync(assignedUserId, cancellationToken);
+            var roles = userSummary?.Roles ?? Array.Empty<string>();
+
+            if (roles.Contains(Roles.ProjectManager))
+            {
+                throw new ValidationException(new[]
+                {
+                    new ValidationFailure(propertyName, "Assigned user cannot have ProjectManager role.")
+                });
+            }
+        }
+
         private static void EnsureProjectMember(
             TaskManagementDbContext dbContext,
             Projects.Models.Project project,

src/TaskManagement.Api/Features/Users/Services/AuthUserDirectoryService.cs

@@ -82,7 +82,9 @@ public async Task<bool> UserExistsAsync(string userId, CancellationToken cancell
             return new UserDirectorySummary
             {
                 DisplayName = displayName,
-                Email = user?.Email
+                Email = user?.Email,
+                Roles = user?.Roles?.Where(role => !string.IsNullOrWhiteSpace(role)).Select(role => role.Trim()).ToList()
+                    ?? []
             };
         }
 
@@ -92,6 +94,7 @@ private sealed class UserSummaryResponse
             public string? UserName { get; set; }
             public string? Email { get; set; }
             public bool IsActive { get; set; }
+            public List<string> Roles { get; set; } = [];
         }
     }
 }

src/TaskManagement.Api/Features/Users/Services/Models/UserDirectorySummary.cs

@@ -4,5 +4,6 @@ public sealed class UserDirectorySummary
     {
         public string? DisplayName { get; init; }
         public string? Email { get; init; }
+        public IReadOnlyCollection<string> Roles { get; init; } = Array.Empty<string>();
     }
 }

tests/TaskManagement.Api.Tests/IntegrationTests/Features/Spa/SpaDashboardKanbanFlowTests.cs

@@ -53,7 +53,7 @@ public async Task SpaDashboardAndKanbanFlow_ShouldSupportTypicalProjectLifecycle
 
             // 2) Project manager creates tasks that will populate Kanban columns.
             var todoTask = await CreateTaskAsync(projectId, "Task Todo", TaskStatus.Todo, MemberUserId);
-            var inProgressTask = await CreateTaskAsync(projectId, "Task In Progress", TaskStatus.InProgress, ProjectManagerId);
+            var inProgressTask = await CreateTaskAsync(projectId, "Task In Progress", TaskStatus.InProgress, MemberUserId);
             var doneTask = await CreateTaskAsync(projectId, "Task Done", TaskStatus.Done, MemberUserId);
 
             // 3) Member user can fetch visible projects (project picker in SPA).
@@ -71,7 +71,7 @@ public async Task SpaDashboardAndKanbanFlow_ShouldSupportTypicalProjectLifecycle
             kanbanTasks.Should().NotBeNull();
             kanbanTasks!.Should().HaveCount(3);
             kanbanTasks.Should().Contain(t => t.Id == todoTask.Id && t.AssignedUserId == MemberUserId);
-            kanbanTasks.Should().Contain(t => t.Id == inProgressTask.Id && t.AssignedUserId == ProjectManagerId);
+            kanbanTasks.Should().Contain(t => t.Id == inProgressTask.Id && t.AssignedUserId == MemberUserId);
             kanbanTasks.Should().Contain(t => t.Id == doneTask.Id && t.Status == TaskStatus.Done);
 
             // 5) Member updates one task status (typical drag-and-drop status move).
@@ -91,7 +91,7 @@ public async Task SpaDashboardAndKanbanFlow_ShouldSupportTypicalProjectLifecycle
             var dashboard = await dashboardResponse.Content.ReadFromJsonAsync<DashboardSummaryDto>();
             dashboard.Should().NotBeNull();
             dashboard!.ProjectsCount.Should().Be(1);
-            dashboard.AssignedTasksCount.Should().Be(2);
+            dashboard.AssignedTasksCount.Should().Be(3);
             dashboard.TasksClosedThisWeekCount.Should().Be(1);
             dashboard.OverdueAssignedTasksCount.Should().Be(0);
 

tests/TaskManagement.Api.Tests/IntegrationTests/Features/TaskItems/CreateTaskItemEndpointTests.cs

@@ -204,6 +204,28 @@ public async Task CreateTaskItem_WhenUserIsNotMemberOrOwner_ShouldReturnForbidde
             response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         }
 
+        [Fact]
+        public async Task CreateTaskItem_WhenAssignedUserIsProjectManager_ShouldReturnBadRequest()
+        {
+            // Arrange
+            SetAuthenticatedUser(_projectOwnerId);
+            var command = new CreateTaskItemCommand
+            {
+                ProjectId = _project1Id,
+                Title = "Task With Project Manager Assignee",
+                AssignedUserId = "user-pm-create"
+            };
+
+            // Act
+            var response = await _client.PostAsJsonAsync("/api/taskitems", command);
+
+            // Assert
+            response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
+            var problemDetails = await response.Content.ReadFromJsonAsync<ValidationProblemDetails>();
+            problemDetails.Should().NotBeNull();
+            problemDetails!.Errors.Should().ContainKey(nameof(CreateTaskItemCommand.AssignedUserId));
+        }
+
         [Fact]
         public async Task CreateTaskItem_ForNonExistentProject_ShouldReturnNotFound()
         {

tests/TaskManagement.Api.Tests/IntegrationTests/Fixtures/TestUserDirectoryService.cs

@@ -30,8 +30,25 @@ public Task<bool> UserExistsAsync(string userId, CancellationToken cancellationT
             return Task.FromResult<UserDirectorySummary?>(new UserDirectorySummary
             {
                 DisplayName = $"Test User {userId}",
-                Email = $"{userId}@example.test"
+                Email = $"{userId}@example.test",
+                Roles = ResolveRoles(userId)
             });
         }
+
+        private static IReadOnlyCollection<string> ResolveRoles(string userId)
+        {
+            if (userId.Contains("pm", StringComparison.OrdinalIgnoreCase)
+                || userId.Contains("project-manager", StringComparison.OrdinalIgnoreCase))
+            {
+                return ["ProjectManager"];
+            }
+
+            if (userId.Contains("admin", StringComparison.OrdinalIgnoreCase))
+            {
+                return ["Administrator"];
+            }
+
+            return ["User"];
+        }
     }
 }