feat(api): align task delete authorization with role/assignee rules and update integration tests

Diogo-Ferraz · Diogo-Ferraz · commit 926ec21cf488 · 2026-02-22T19:10:50.000Z
diff --git a/src/TaskManagement.Api/Features/TaskItems/Commands/Handlers/DeleteTaskItemCommandHandler.cs b/src/TaskManagement.Api/Features/TaskItems/Commands/Handlers/DeleteTaskItemCommandHandler.cs
@@ -45,13 +45,13 @@ public async Task Handle(DeleteTaskItemCommand request, CancellationToken cancel
 
             var isAdmin = _currentUserService.IsInRole(Roles.Administrator);
             var isProjectManager = _currentUserService.IsInRole(Roles.ProjectManager);
+            var isAssignee = taskItem.AssignedUserId == currentUserId;
             var isProjectMember = await _dbContext.ProjectMembers
                 .AnyAsync(pm => pm.ProjectId == taskItem.ProjectId && pm.UserId == currentUserId, cancellationToken);
             bool isProjectOwner = taskItem.Project.OwnerUserId == currentUserId;
             var canDeleteAsProjectManager = isProjectManager && (isProjectOwner || isProjectMember);
 
-            // Keep user deletes stricter: owner-only unless elevated role.
-            if (!isAdmin && !canDeleteAsProjectManager && !isProjectOwner)
+            if (!isAdmin && !canDeleteAsProjectManager && !isProjectOwner && !isAssignee)
             {
                 throw new ForbiddenAccessException("User is not authorized to delete this task item.");
             }
diff --git a/tests/TaskManagement.Api.Tests/IntegrationTests/Features/TaskItems/DeleteTaskItemEndpointTests.cs b/tests/TaskManagement.Api.Tests/IntegrationTests/Features/TaskItems/DeleteTaskItemEndpointTests.cs
@@ -169,7 +169,7 @@ public async Task DeleteTaskItem_WhenUserIsAdministrator_ShouldReturnNoContentAn
         }
 
         [Fact]
-        public async Task DeleteTaskItem_WhenUserIsAssigneeButNotOwner_ShouldReturnForbidden()
+        public async Task DeleteTaskItem_WhenUserIsAssigneeButNotOwner_ShouldReturnNoContentAndDeleteTask()
         {
             // Arrange
             SetAuthenticatedUser(_taskAssigneeId);
@@ -184,15 +184,15 @@ public async Task DeleteTaskItem_WhenUserIsAssigneeButNotOwner_ShouldReturnForbi
             var response = await _client.DeleteAsync($"/api/taskitems/{_taskToDeleteId}");
 
             // Assert Response
-            response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+            response.StatusCode.Should().Be(HttpStatusCode.NoContent);
 
             // Assert Database State
             using (var scope = _factory.Services.CreateScope())
             {
                 var dbContext = scope.ServiceProvider.GetRequiredService<TaskManagementDbContext>();
                 var taskInDb = await dbContext.TaskItems.FindAsync(_taskToDeleteId);
-                taskInDb.Should().NotBeNull();
-                (await dbContext.TaskItems.Where(t => t.ProjectId == _projectId).CountAsync()).Should().Be(initialTaskCount);
+                taskInDb.Should().BeNull();
+                (await dbContext.TaskItems.Where(t => t.ProjectId == _projectId).CountAsync()).Should().Be(initialTaskCount - 1);
             }
         }
 

Original file line number	Diff line number	Diff line change
`@@ -45,13 +45,13 @@ public async Task Handle(DeleteTaskItemCommand request, CancellationToken cancel`
`45`	`45`
`46`	`46`	`var isAdmin = _currentUserService.IsInRole(Roles.Administrator);`
`47`	`47`	`var isProjectManager = _currentUserService.IsInRole(Roles.ProjectManager);`
	`48`	`+ var isAssignee = taskItem.AssignedUserId == currentUserId;`
`48`	`49`	`var isProjectMember = await _dbContext.ProjectMembers`
`49`	`50`	`.AnyAsync(pm => pm.ProjectId == taskItem.ProjectId && pm.UserId == currentUserId, cancellationToken);`
`50`	`51`	`bool isProjectOwner = taskItem.Project.OwnerUserId == currentUserId;`
`51`	`52`	`var canDeleteAsProjectManager = isProjectManager && (isProjectOwner \|\| isProjectMember);`
`52`	`53`
`53`		`- // Keep user deletes stricter: owner-only unless elevated role.`
`54`		`- if (!isAdmin && !canDeleteAsProjectManager && !isProjectOwner)`
	`54`	`+ if (!isAdmin && !canDeleteAsProjectManager && !isProjectOwner && !isAssignee)`
`55`	`55`	`{`
`56`	`56`	`throw new ForbiddenAccessException("User is not authorized to delete this task item.");`
`57`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -169,7 +169,7 @@ public async Task DeleteTaskItem_WhenUserIsAdministrator_ShouldReturnNoContentAn`
`169`	`169`	`}`
`170`	`170`
`171`	`171`	`[Fact]`
`172`		`- public async Task DeleteTaskItem_WhenUserIsAssigneeButNotOwner_ShouldReturnForbidden()`
	`172`	`+ public async Task DeleteTaskItem_WhenUserIsAssigneeButNotOwner_ShouldReturnNoContentAndDeleteTask()`
`173`	`173`	`{`
`174`	`174`	`// Arrange`
`175`	`175`	`SetAuthenticatedUser(_taskAssigneeId);`
`@@ -184,15 +184,15 @@ public async Task DeleteTaskItem_WhenUserIsAssigneeButNotOwner_ShouldReturnForbi`
`184`	`184`	`var response = await _client.DeleteAsync($"/api/taskitems/{_taskToDeleteId}");`
`185`	`185`
`186`	`186`	`// Assert Response`
`187`		`- response.StatusCode.Should().Be(HttpStatusCode.Forbidden);`
	`187`	`+ response.StatusCode.Should().Be(HttpStatusCode.NoContent);`
`188`	`188`
`189`	`189`	`// Assert Database State`
`190`	`190`	`using (var scope = _factory.Services.CreateScope())`
`191`	`191`	`{`
`192`	`192`	`var dbContext = scope.ServiceProvider.GetRequiredService<TaskManagementDbContext>();`
`193`	`193`	`var taskInDb = await dbContext.TaskItems.FindAsync(_taskToDeleteId);`
`194`		`- taskInDb.Should().NotBeNull();`
`195`		`- (await dbContext.TaskItems.Where(t => t.ProjectId == _projectId).CountAsync()).Should().Be(initialTaskCount);`
	`194`	`+ taskInDb.Should().BeNull();`
	`195`	`+ (await dbContext.TaskItems.Where(t => t.ProjectId == _projectId).CountAsync()).Should().Be(initialTaskCount - 1);`
`196`	`196`	`}`
`197`	`197`	`}`
`198`	`198`