fix(task-assignment-rules): enforce self-assign/self-unassign for user role with updated tests

Author: Diogo-Ferraz

src/TaskManagement.Api/Features/TaskItems/Commands/Handlers/CreateTaskItemCommandHandler.cs

@@ -54,6 +54,7 @@ public async Task<TaskItemDto> Handle(CreateTaskItemCommand request, Cancellatio
             }
 
             var isAdmin = _currentUserService.IsInRole(Roles.Administrator);
+            var isProjectManager = _currentUserService.IsInRole(Roles.ProjectManager);
             var isAuthorized = isAdmin
                                || project.OwnerUserId == currentUserId
                                || project.Members.Any(m => m.UserId == currentUserId);
@@ -65,6 +66,7 @@ public async Task<TaskItemDto> Handle(CreateTaskItemCommand request, Cancellatio
 
             var taskItem = _mapper.Map<TaskItem>(request);
             var assignedUserId = NormalizeAssignedUserId(request.AssignedUserId);
+            EnsureAssignmentChangeAllowedForCurrentUser(currentUserId, assignedUserId, isAdmin, isProjectManager);
             if (assignedUserId != null)
             {
                 var userExists = await _userDirectoryService.UserExistsAsync(assignedUserId, cancellationToken);
@@ -111,6 +113,23 @@ public async Task<TaskItemDto> Handle(CreateTaskItemCommand request, Cancellatio
             return assignedUserId.Trim();
         }
 
+        private static void EnsureAssignmentChangeAllowedForCurrentUser(
+            string currentUserId,
+            string? newAssignedUserId,
+            bool isAdmin,
+            bool isProjectManager)
+        {
+            if (isAdmin || isProjectManager)
+            {
+                return;
+            }
+
+            if (newAssignedUserId != null && !string.Equals(newAssignedUserId, currentUserId, StringComparison.Ordinal))
+            {
+                throw new ForbiddenAccessException("Users can only assign tasks to themselves.");
+            }
+        }
+
         private async Task EnsureAssignableUserRoleAsync(string assignedUserId, string propertyName, CancellationToken cancellationToken)
         {
             var userSummary = await _userDirectoryService.GetUserSummaryAsync(assignedUserId, cancellationToken);

src/TaskManagement.Api/Features/TaskItems/Commands/Handlers/PatchTaskItemCommandHandler.cs

@@ -55,11 +55,13 @@ public async Task<TaskItemDto> Handle(PatchTaskItemCommand request, Cancellation
             }
 
             var isAdmin = _currentUserService.IsInRole(Roles.Administrator);
+            var isProjectManager = _currentUserService.IsInRole(Roles.ProjectManager);
             var isProjectMember = taskItem.Project.Members.Any(m => m.UserId == currentUserId);
             var isProjectOwner = taskItem.Project.OwnerUserId == currentUserId;
             var isAssignee = taskItem.AssignedUserId == currentUserId;
+            var canManageAsProjectManager = isProjectManager && (isProjectOwner || isProjectMember);
 
-            if (!isAdmin && !isProjectOwner && !isAssignee && !isProjectMember)
+            if (!isAdmin && !canManageAsProjectManager && !isProjectOwner && !isAssignee)
             {
                 throw new ForbiddenAccessException("User is not authorized to update this task item.");
             }
@@ -73,6 +75,12 @@ public async Task<TaskItemDto> Handle(PatchTaskItemCommand request, Cancellation
             if (request.AssignedUserId.HasValue)
             {
                 var normalizedAssignedUserId = NormalizeAssignedUserId(request.AssignedUserId.Value);
+                EnsureAssignmentChangeAllowedForCurrentUser(
+                    currentUserId,
+                    taskItem.AssignedUserId,
+                    normalizedAssignedUserId,
+                    isAdmin,
+                    isProjectManager);
                 if (normalizedAssignedUserId == null)
                 {
                     taskItem.AssignedUserId = null;
@@ -180,6 +188,34 @@ public async Task<TaskItemDto> Handle(PatchTaskItemCommand request, Cancellation
             return assignedUserId.Trim();
         }
 
+        private static void EnsureAssignmentChangeAllowedForCurrentUser(
+            string currentUserId,
+            string? currentAssignedUserId,
+            string? newAssignedUserId,
+            bool isAdmin,
+            bool isProjectManager)
+        {
+            if (isAdmin || isProjectManager)
+            {
+                return;
+            }
+
+            if (newAssignedUserId == null)
+            {
+                if (!string.Equals(currentAssignedUserId, currentUserId, StringComparison.Ordinal))
+                {
+                    throw new ForbiddenAccessException("Users can only unassign tasks currently assigned to themselves.");
+                }
+
+                return;
+            }
+
+            if (!string.Equals(newAssignedUserId, currentUserId, StringComparison.Ordinal))
+            {
+                throw new ForbiddenAccessException("Users can only assign tasks to themselves.");
+            }
+        }
+
         private async Task EnsureAssignableUserRoleAsync(string assignedUserId, string propertyName, CancellationToken cancellationToken)
         {
             var userSummary = await _userDirectoryService.GetUserSummaryAsync(assignedUserId, cancellationToken);

src/TaskManagement.Api/Features/TaskItems/Commands/Handlers/UpdateTaskItemCommandHandler.cs

@@ -54,16 +54,19 @@ public async Task<TaskItemDto> Handle(UpdateTaskItemCommand request, Cancellatio
                 throw new NotFoundException(nameof(TaskItem), request.Id);
             }
             var isAdmin = _currentUserService.IsInRole(Roles.Administrator);
+            var isProjectManager = _currentUserService.IsInRole(Roles.ProjectManager);
             var isProjectMember = taskItem.Project.Members.Any(m => m.UserId == currentUserId);
             bool isProjectOwner = taskItem.Project.OwnerUserId == currentUserId;
             bool isAssignee = taskItem.AssignedUserId == currentUserId;
+            var canManageAsProjectManager = isProjectManager && (isProjectOwner || isProjectMember);
 
-            if (!isAdmin && !isProjectOwner && !isAssignee && !isProjectMember)
+            if (!isAdmin && !canManageAsProjectManager && !isProjectOwner && !isAssignee)
             {
                 throw new ForbiddenAccessException("User is not authorized to update this task item.");
             }
 
             var assignedUserId = NormalizeAssignedUserId(request.AssignedUserId);
+            EnsureAssignmentChangeAllowedForCurrentUser(currentUserId, taskItem.AssignedUserId, assignedUserId, isAdmin, isProjectManager);
             if (assignedUserId != null)
             {
                 var userExists = await _userDirectoryService.UserExistsAsync(assignedUserId, cancellationToken);
@@ -173,6 +176,34 @@ public async Task<TaskItemDto> Handle(UpdateTaskItemCommand request, Cancellatio
             return assignedUserId.Trim();
         }
 
+        private static void EnsureAssignmentChangeAllowedForCurrentUser(
+            string currentUserId,
+            string? currentAssignedUserId,
+            string? newAssignedUserId,
+            bool isAdmin,
+            bool isProjectManager)
+        {
+            if (isAdmin || isProjectManager)
+            {
+                return;
+            }
+
+            if (newAssignedUserId == null)
+            {
+                if (!string.Equals(currentAssignedUserId, currentUserId, StringComparison.Ordinal))
+                {
+                    throw new ForbiddenAccessException("Users can only unassign tasks currently assigned to themselves.");
+                }
+
+                return;
+            }
+
+            if (!string.Equals(newAssignedUserId, currentUserId, StringComparison.Ordinal))
+            {
+                throw new ForbiddenAccessException("Users can only assign tasks to themselves.");
+            }
+        }
+
         private async Task EnsureAssignableUserRoleAsync(string assignedUserId, string propertyName, CancellationToken cancellationToken)
         {
             var userSummary = await _userDirectoryService.GetUserSummaryAsync(assignedUserId, cancellationToken);

tests/TaskManagement.Api.Tests/IntegrationTests/Features/TaskItems/CreateTaskItemEndpointTests.cs

@@ -78,7 +78,7 @@ private void SetAuthenticatedUser(string userId, string? roles = null)
         public async Task CreateTaskItem_WhenUserIsProjectOwner_ShouldReturnCreatedAndTaskDto()
         {
             // Arrange
-            SetAuthenticatedUser(_projectOwnerId);
+            SetAuthenticatedUser(_projectOwnerId, Roles.ProjectManager);
             var command = new CreateTaskItemCommand
             {
                 ProjectId = _project1Id,
@@ -136,6 +136,25 @@ public async Task CreateTaskItem_WhenUserIsProjectMember_ShouldReturnCreatedAndT
             createdDto.CreatedByUserId.Should().Be(_projectMemberId);
         }
 
+        [Fact]
+        public async Task CreateTaskItem_WhenUserAssignsTaskToAnotherUser_ShouldReturnForbidden()
+        {
+            // Arrange
+            SetAuthenticatedUser(_projectMemberId, Roles.User);
+            var command = new CreateTaskItemCommand
+            {
+                ProjectId = _project1Id,
+                Title = "Invalid assignment",
+                AssignedUserId = _unrelatedUserId
+            };
+
+            // Act
+            var response = await _client.PostAsJsonAsync("/api/taskitems", command);
+
+            // Assert
+            response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        }
+
         [Fact]
         public async Task CreateTaskItem_WhenUserIsAdministrator_ShouldReturnCreatedAndTaskDto()
         {
@@ -164,7 +183,7 @@ public async Task CreateTaskItem_WhenUserIsAdministrator_ShouldReturnCreatedAndT
         public async Task CreateTaskItem_ShouldAutoAddMember_WhenAssigneeIsNotProjectMember()
         {
             // Arrange
-            SetAuthenticatedUser(_projectOwnerId);
+            SetAuthenticatedUser(_projectOwnerId, Roles.ProjectManager);
             var newAssigneeId = "user-task-new-member-create";
             var command = new CreateTaskItemCommand
             {
@@ -208,7 +227,7 @@ public async Task CreateTaskItem_WhenUserIsNotMemberOrOwner_ShouldReturnForbidde
         public async Task CreateTaskItem_WhenAssignedUserIsProjectManager_ShouldReturnBadRequest()
         {
             // Arrange
-            SetAuthenticatedUser(_projectOwnerId);
+            SetAuthenticatedUser(_projectOwnerId, Roles.ProjectManager);
             var command = new CreateTaskItemCommand
             {
                 ProjectId = _project1Id,

tests/TaskManagement.Api.Tests/IntegrationTests/Features/TaskItems/PatchTaskItemEndpointTests.cs

@@ -72,7 +72,7 @@ await _factory.SeedDatabaseAsync(db =>
         [Fact]
         public async Task PatchTaskItem_ShouldUpdateStatusAndCreateActivityLog()
         {
-            SetAuthenticatedUser(_ownerUserId);
+            SetAuthenticatedUser(_ownerUserId, Roles.ProjectManager);
             var command = new PatchTaskItemCommand { Status = TaskStatus.Done };
 
             var response = await _client.PatchAsJsonAsync($"/api/taskitems/{_taskId}", command);
@@ -91,7 +91,7 @@ public async Task PatchTaskItem_ShouldUpdateStatusAndCreateActivityLog()
         [Fact]
         public async Task PatchTaskItem_ClearAssignedUser_ShouldSetNull()
         {
-            SetAuthenticatedUser(_ownerUserId);
+            SetAuthenticatedUser(_ownerUserId, Roles.ProjectManager);
             var command = new PatchTaskItemCommand { AssignedUserId = null };
 
             var response = await _client.PatchAsJsonAsync($"/api/taskitems/{_taskId}", command);
@@ -139,12 +139,63 @@ public async Task PatchTaskItem_WhenUserIsNotAuthorized_ShouldReturnForbidden()
             response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         }
 
-        private void SetAuthenticatedUser(string userId)
+        [Fact]
+        public async Task PatchTaskItem_WhenProjectMemberIsNotAssignee_ShouldReturnForbidden()
+        {
+            SetAuthenticatedUser(_otherUserId);
+            await _factory.SeedDatabaseAsync(db =>
+            {
+                var projectMember = new ProjectMember
+                {
+                    ProjectId = _projectId,
+                    UserId = _otherUserId,
+                    AddedByUserId = _ownerUserId,
+                    JoinedAt = DateTime.UtcNow
+                };
+
+                db.ProjectMembers.Add(projectMember);
+                return Task.CompletedTask;
+            });
+
+            var command = new PatchTaskItemCommand { Title = "Member cannot edit another user's task" };
+            var response = await _client.PatchAsJsonAsync($"/api/taskitems/{_taskId}", command);
+
+            response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        }
+
+        [Fact]
+        public async Task PatchTaskItem_WhenAssigneeUserUnassignsSelf_ShouldReturnOk()
+        {
+            SetAuthenticatedUser(_memberUserId);
+            var command = new PatchTaskItemCommand { AssignedUserId = null };
+
+            var response = await _client.PatchAsJsonAsync($"/api/taskitems/{_taskId}", command);
+
+            response.StatusCode.Should().Be(HttpStatusCode.OK);
+            var dto = await response.Content.ReadFromJsonAsync<TaskItemDto>();
+            dto.Should().NotBeNull();
+            dto!.AssignedUserId.Should().BeNull();
+        }
+
+        [Fact]
+        public async Task PatchTaskItem_WhenUserAssignsTaskToAnotherUser_ShouldReturnForbidden()
+        {
+            SetAuthenticatedUser(_memberUserId);
+            var command = new PatchTaskItemCommand { AssignedUserId = _otherUserId };
+
+            var response = await _client.PatchAsJsonAsync($"/api/taskitems/{_taskId}", command);
+
+            response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        }
+
+        private void SetAuthenticatedUser(string userId, string? roles = null)
         {
             _client.DefaultRequestHeaders.Remove(TestAuthenticationHandler.TestUserIdHeader);
             _client.DefaultRequestHeaders.Remove(TestAuthenticationHandler.TestUserRolesHeader);
             _client.DefaultRequestHeaders.Add(TestAuthenticationHandler.TestUserIdHeader, userId);
-            _client.DefaultRequestHeaders.Add(TestAuthenticationHandler.TestUserRolesHeader, Roles.User);
+            _client.DefaultRequestHeaders.Add(
+                TestAuthenticationHandler.TestUserRolesHeader,
+                string.IsNullOrWhiteSpace(roles) ? Roles.User : roles);
         }
     }
 }

tests/TaskManagement.Api.Tests/IntegrationTests/Features/TaskItems/UpdateTaskItemEndpointTests.cs

@@ -107,19 +107,21 @@ await _factory.SeedDatabaseAsync(db =>
 
         public Task DisposeAsync() => Task.CompletedTask;
 
-        private void SetAuthenticatedUser(string userId)
+        private void SetAuthenticatedUser(string userId, string? roles = null)
         {
             _client.DefaultRequestHeaders.Remove(TestAuthenticationHandler.TestUserIdHeader);
             _client.DefaultRequestHeaders.Remove(TestAuthenticationHandler.TestUserRolesHeader);
             _client.DefaultRequestHeaders.Add(TestAuthenticationHandler.TestUserIdHeader, userId);
-            _client.DefaultRequestHeaders.Add(TestAuthenticationHandler.TestUserRolesHeader, Roles.User);
+            _client.DefaultRequestHeaders.Add(
+                TestAuthenticationHandler.TestUserRolesHeader,
+                string.IsNullOrWhiteSpace(roles) ? Roles.User : roles);
         }
 
         [Fact]
         public async Task UpdateTaskItem_WhenUserIsProjectOwner_ShouldReturnOkAndUpdatedDto()
         {
             // Arrange
-            SetAuthenticatedUser(_projectOwnerId);
+            SetAuthenticatedUser(_projectOwnerId, Roles.ProjectManager);
             var command = new UpdateTaskItemCommand
             {
                 Id = _taskIdToUpdate,
@@ -190,7 +192,7 @@ public async Task UpdateTaskItem_WhenUserIsAssignee_ShouldReturnOkAndUpdatedDto(
         public async Task UpdateTaskItem_ShouldAutoAddMember_WhenAssigneeIsNotProjectMember()
         {
             // Arrange
-            SetAuthenticatedUser(_projectOwnerId);
+            SetAuthenticatedUser(_projectOwnerId, Roles.ProjectManager);
             var newAssigneeId = "user-task-new-member-update";
             var command = new UpdateTaskItemCommand
             {
@@ -217,17 +219,42 @@ public async Task UpdateTaskItem_ShouldAutoAddMember_WhenAssigneeIsNotProjectMem
         }
 
         [Fact]
-        public async Task UpdateTaskItem_WhenUserIsProjectMemberButNotAssigneeOrOwner_ShouldReturnOk()
+        public async Task UpdateTaskItem_WhenUserIsProjectMemberButNotAssigneeOrOwner_ShouldReturnForbidden()
         {
             // Arrange
             SetAuthenticatedUser(_projectMemberNotAssigneeId);
-            var command = new UpdateTaskItemCommand { Id = _taskIdToUpdate, Title = "Member Update Attempt" };
+            var command = new UpdateTaskItemCommand
+            {
+                Id = _taskIdToUpdate,
+                Title = "Member Update Attempt",
+                AssignedUserId = _projectMemberNotAssigneeId
+            };
 
             // Act
             var response = await _client.PutAsJsonAsync($"/api/taskitems/{_taskIdToUpdate}", command);
 
             // Assert Response
-            response.StatusCode.Should().Be(HttpStatusCode.OK);
+            response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        }
+
+        [Fact]
+        public async Task UpdateTaskItem_WhenRegularUserAssignsTaskToAnotherUser_ShouldReturnForbidden()
+        {
+            // Arrange
+            SetAuthenticatedUser(_projectMemberNotAssigneeId);
+            var command = new UpdateTaskItemCommand
+            {
+                Id = _taskIdToUpdate,
+                Title = "Attempt Assign Other User",
+                Status = TaskStatus.InProgress,
+                AssignedUserId = _taskAssigneeId
+            };
+
+            // Act
+            var response = await _client.PutAsJsonAsync($"/api/taskitems/{_taskIdToUpdate}", command);
+
+            // Assert
+            response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         }
 
         [Fact]

tests/TaskManagement.Api.Tests/UnitTests/Features/TaskItems/Commands/CreateTaskItemCommandHandlerTests.cs

@@ -215,6 +215,7 @@ public async Task Handle_ShouldThrowValidationException_WhenAssignedUserDoesNotE
                 AssignedUserId = "invalid-user"
             };
             _mockCurrentUser.Setup(u => u.Id).Returns(_projectOwnerId);
+            _mockCurrentUser.Setup(u => u.IsInRole(Roles.ProjectManager)).Returns(true);
             _mockUserDirectory
                 .Setup(s => s.UserExistsAsync(command.AssignedUserId!, It.IsAny<CancellationToken>()))
                 .ReturnsAsync(false);
@@ -241,6 +242,7 @@ public async Task Handle_ShouldAutoAddMember_WhenAssignedUserIsNotProjectMember(
                 AssignedUserId = newAssigneeId
             };
             _mockCurrentUser.Setup(u => u.Id).Returns(_projectOwnerId);
+            _mockCurrentUser.Setup(u => u.IsInRole(Roles.ProjectManager)).Returns(true);
             _mockUserDirectory
                 .Setup(s => s.UserExistsAsync(newAssigneeId, It.IsAny<CancellationToken>()))
                 .ReturnsAsync(true);