14579 Commits

Author SHA1 Message Date
Harsh Mahajan ecdf051a41 Merge pull request #3078 from appwrite/feat-project-specific-roles-plan-flag
feat: gate project-specific roles on supportsProjectSpecificRoles plag
8.4.8
2026-06-04 14:38:10 +05:30
harsh mahajan 08d0060ddb chore: remove unused granularProjectAccess feature flag 2026-06-04 14:34:12 +05:30
harsh mahajan 9be285a786 format 2026-06-04 14:32:15 +05:30
harsh mahajan dd6e7aeaf3 fix: show Edit role button when either supportsOrgRoles or supportsProjectRoles is true
Plans with supportsProjectSpecificRoles=true but supportsOrganizationRoles=false
would show project-role badges in the table but have no way to edit them.
2026-06-04 14:30:08 +05:30
harsh mahajan 109d27fbf5 feat: remove granularProjectAccess feature flag from project-specific roles
Gate solely on supportsProjectSpecificRoles plan flag — no feature flag
needed. Also always fetch orgProjects in page load since it is no longer
conditionally needed.
2026-06-04 14:29:13 +05:30
harsh mahajan 29ad2341cb format 2026-06-04 14:20:42 +05:30
harsh mahajan db3eccd4ba fix: gate Edit role button on supportsOrganizationRoles, not supportsProjectSpecificRoles
supportsProjectSpecificRoles only controls the project-specific toggle inside
the edit modal. The Edit role button should show for any plan that supports
org-level roles — use a separate supportsOrgRoles derived from
supportsOrganizationRoles for that. Also add !! coercion for consistency.
2026-06-04 14:19:33 +05:30
harsh mahajan ca592d05a8 feat: gate project-specific roles on supportsProjectSpecificRoles plan flag
Update SDK to @appwrite.io/console@82069e6 which exposes the new flag.
Replace supportsOrganizationRoles with supportsProjectSpecificRoles in
createMember, edit, and members page — org roles and project-specific
roles are now independently gated by their own plan flags.
2026-06-04 14:03:18 +05:30
Harsh Mahajan 378c7c699d Merge pull request #3075 from appwrite/fix-overview-remove-usage-stats
fix: remove inaccurate usage stats from project overview
8.4.7
2026-06-02 11:15:39 +05:30
harsh mahajan 0a141d0baf chore: bump vitest to 4.x, fix date mocking in support store tests
Resolves critical advisory GHSA-5xrq-8626-4rwp. Updated store.test.ts
to use vi.useFakeTimers/vi.setSystemTime instead of the constructor spy
pattern that Vitest 4 no longer supports.
2026-06-02 11:06:15 +05:30
harsh mahajan 7ca457edef bun update 2026-06-02 11:02:24 +05:30
harsh mahajan 4e3777f9da fix: remove inaccurate usage stats from project overview
Keep Database, Storage, Auth, and Functions as nav tiles — icon + label
only. Stats were consistently reported as inaccurate; nav value is
preserved. Mobile layout uses a 2×2 grid instead of a vertical stack.
2026-06-02 10:59:47 +05:30
Harsh Mahajan 09ec282a69 Merge pull request #3067 from appwrite/feat-oauth2server-settings
feat: add OAuth2 server settings card and update SDK
8.4.6
2026-06-01 17:20:56 +05:30
harsh mahajan 01273a1e81 chore: bump SDK to 666231b, fix enum renames, add OAuth2 server feature flag
- Update @appwrite.io/console to 666231b
- Scopes → ProjectKeyScopes in all function/overview files
- StatusCode.MovedPermanently301/Found302/TemporaryRedirect307/PermanentRedirect308
  → MovedPermanently/Found/TemporaryRedirect/PermanentRedirect
- Add oauth2Server feature flag to flags.ts
- Wire UpdateOAuth2Server card into project settings behind oauth2-server flag
- Type-cast missing oAuth2Server fields and updateOAuth2Server method until SDK ships them
- Add Submit.ProjectUpdateOAuth2Server analytics event
2026-06-01 16:55:09 +05:30
harsh mahajan 4107a7898b feat: add OAuth2 server settings card
- New updateOAuth2Server.svelte card in project settings
- Enable/disable toggle, authorization URL, scopes, per-client token
  durations with unit selectors, PKCE enforcement
- min={1} on all duration inputs, scopes sent directly to allow clearing
- Add ProjectUpdateOAuth2Server analytics event

Note: awaiting SDK with updateOAuth2Server method and correct enum names
2026-06-01 16:24:12 +05:30
harsh mahajan e826ec65a1 fix: correct enum renames and Models namespace after SDK bump to 81a4f24
The new SDK renamed top-level enums (Status→ProjectStatus, StatusCode→RedirectStatusCode,
Adapter→SiteAdapter, etc.) but kept Models.* names unchanged (Models.Framework,
Models.Runtime). Also removed Scopes in favour of ProjectKeyScopes.

- Models.SiteFramework → Models.Framework
- Models.FunctionRuntime → Models.Runtime
- VCSDetectionType.SiteFramework → VCSDetectionType.Framework
- VCSDetectionType.FunctionRuntime → VCSDetectionType.Runtime
- Scopes → ProjectKeyScopes in function files (enum removed from SDK)
- Fix updateScopes.svelte: restore Scopes component import, remove duplicate type alias
2026-06-01 16:24:12 +05:30
harsh mahajan d3ccd84d1e fix: always send scopes array to allow clearing all scopes 2026-06-01 16:24:12 +05:30
harsh mahajan fe3b317517 fix: rename 'Allowed scopes' label to 'Scopes' 2026-06-01 16:24:12 +05:30
harsh mahajan 3d807dd920 fix: generic success message and min=1 guard on token duration inputs 2026-06-01 16:24:12 +05:30
harsh mahajan a38bbd5b9b feat: add OAuth2 server settings card and update SDK to 81a4f24
- New updateOAuth2Server.svelte card in project settings for configuring
  the project as an OAuth2 authorization server (enabled toggle, authorization
  URL, scopes, per-client-type token durations, PKCE enforcement)
- Add ProjectUpdateOAuth2Server analytics event
- Fix enum renames introduced by SDK bump: Status→ProjectStatus,
  StatusCode→RedirectStatusCode, Adapter→SiteAdapter,
  BuildRuntime→SiteBuildRuntime, Framework→SiteFramework,
  Runtime→FunctionRuntime, Scopes→ProjectKeyScopes, Addon→OrganizationAddon
2026-06-01 16:24:12 +05:30
Harsh Mahajan f29b4bad9e Merge pull request #3074 from appwrite/chore-sdk-changes-and-ce-bump
chore: ce bump
8.4.5
2026-06-01 12:54:25 +05:30
harsh mahajan aa113a77ba unnecesary alias 2026-06-01 12:47:50 +05:30
harsh mahajan de4c56d93b format 2026-06-01 12:39:51 +05:30
harsh mahajan 5a528dda16 chore: ce bump 2026-06-01 12:37:33 +05:30
Harsh Mahajan aef6589bd9 Merge pull request #3073 from appwrite/fix-hide-granular-project-access-flag
fix: hide granular project access behind flag
8.4.4
2026-05-31 00:07:38 +05:30
harsh mahajan af52b0b829 fix: hide granular project access behind flag 2026-05-30 23:58:47 +05:30
Harsh Mahajan 2a06f57a55 Merge pull request #3072 from appwrite/fix-auth-securiy
Fix auth securiy
8.4.3
2026-05-30 23:40:17 +05:30
harsh mahajan 369e8842a3 fix:auth security 2026-05-30 23:13:11 +05:30
Harsh Mahajan 2ebf49fa46 Merge pull request #3069 from appwrite/fix-build-triggers-docs-link
fix: add docs link to build triggers card for functions and sites
8.4.2
2026-05-29 19:29:28 +05:30
harsh mahajan 5bcd245515 fix: add docs link to build triggers card for functions and sites
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-29 19:20:58 +05:30
Harsh Mahajan 80beffefd1 Merge pull request #3068 from appwrite/feat-ser542-searchable-project-selector
Feat: searchable project selector
8.4.1
2026-05-29 16:00:25 +05:30
harsh mahajan 26026dd254 perf: prefetch project list on component mount to eliminate dropdown delay
The project list was only fetched after a row appeared, causing a
~1 second blank dropdown. Now the API call fires the instant the
ProjectAccessSelector mounts (when the user switches to "Specific
projects"), so data is ready or in-flight before any interaction.

All rows share a single Promise for unfiltered loads via prefetchPromise;
typed searches still hit the API individually. The generation-counter
race guard still applies so concurrent awaits can't overwrite each other.
2026-05-29 15:28:28 +05:30
harsh mahajan f113c4b81c fix: guard async race and pre-load options for existing project rows
Two bugs in the project access selector:

1. Race condition: loadProjects had no cancellation guard. Two in-flight
   requests for the same row (e.g. rapid typing) could resolve out of
   order, leaving stale results visible. Added a per-row generation
   counter — responses are discarded if a newer request has been
   dispatched since they were started.

2. Edit-mode UUIDs: when the edit modal opens with a member's existing
   project-specific roles, rowOptions starts empty so Input.ComboBox
   falls back to displaying the raw projectId. A $effect now eagerly
   calls loadProjects for any row that has a projectId but no loaded
   options, resolving the label as soon as the dropdown mounts.
2026-05-29 15:24:23 +05:30
harsh mahajan 99b16bc425 fix: invalidate sibling row option caches on project selection/removal
When a project was selected in one row, other rows' cached option lists
still included it, allowing duplicate project assignments. Two places
needed cache busting:

- `onProjectSelected(i)`: clears options for all rows except the one
  that just made a selection; they reload fresh (with takenIds applied)
  on next focus.
- `removeRow(i)`: clears all sibling caches after removal so the
  freed-up project reappears in other rows' dropdowns on next open.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-05-29 15:17:52 +05:30
harsh mahajan ff267910ad format 2026-05-29 15:11:19 +05:30
harsh mahajan fb13353a67 fix: prevent layout shift when ComboBox dropdown opens inside modal
Two root causes of the shift were identified and fixed:

1. Melt UI's `usePopper` applies `position: absolute` to the dropdown
   via floating-ui after a `tick()` delay. During that one frame the
   `ul` was briefly in normal document flow, momentarily growing the
   `<dialog>` element and causing a reflow. Pre-setting
   `[data-melt-combobox-menu] { position: absolute }` in base.css
   removes the element from flow immediately at mount.

2. Melt UI's ComboBox has `preventScroll: true` by default. On open it
   calls `removeScroll()` which sets `body.overflow: hidden` and adds
   compensatory `padding-right` for the scrollbar width — a body
   reflow that shifts the dialog. Pre-setting `data-melt-scroll-lock`
   on the body in `modal.svelte` tells Melt UI the lock is already
   active so it returns early without touching the body.

Also fix `on:search` on `Input.ComboBox` (which the component never
dispatches) by replacing it with native `oninput`/`onfocusin` handlers
on the wrapper `<div>`, so typed text actually triggers debounced
server-side project search. Projects are now ordered newest-first
(`Query.orderDesc('')`) matching the org projects page.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-05-29 15:07:54 +05:30
harsh mahajan 3b15be9786 feat: replace static project list with searchable API-backed ComboBox
The project selector previously loaded up to 100 projects upfront,
silently truncating orgs with more. Replace InputSelect with
Input.ComboBox per row — each row fetches the first 25 projects on
open, then debounces API search as the user types. Already-selected
projects are filtered from each row's results. Removes the orgProjects
prefetch from createMember entirely; edit modal no longer needs a
projects prop.
2026-05-29 14:41:16 +05:30
Harsh Mahajan ce9e5967d5 Merge pull request #3066 from appwrite/feat-ser542-granular-project-access
feat: granular project access for org members
8.4.0
2026-05-29 14:05:36 +05:30
harsh mahajan dc9eda4f46 fix: skip membership lookup for owners and guard zero-project fetch loop
- Skip the extra listMemberships call for org owners (they always see
  all projects), avoiding unnecessary latency on every org page load
- Simplify projectScopeQueries type from ReturnType<typeof Query.equal>[]
  to string[]
- Track hasFetchedProjects in createMember to prevent Svelte 5 reactivity
  from re-triggering the listProjects fetch when the org has zero projects
  (assigning a new [] reference would re-run the effect indefinitely)
2026-05-29 13:56:18 +05:30
harsh mahajan 0f24232144 format 2026-05-29 13:49:45 +05:30
harsh mahajan a4062d7c77 fix: constrain overflow tooltip width and wrap long project names
Apply BODY_TOOLTIP_MAX_WIDTH and BODY_TOOLTIP_WRAPPER_STYLE to the
+N project roles tooltip so content stays inside bounds and long
project names wrap instead of overflowing.
2026-05-29 13:45:38 +05:30
harsh mahajan 2b87920286 fix: show overflow project roles in tooltip on +N badge
Members with multiple project-specific roles show the first role badge
inline. Hovering the '+N' badge reveals a tooltip listing all remaining
project roles, keeping the table clean while preserving discoverability.
2026-05-29 13:40:52 +05:30
harsh mahajan b51551ba0f fix: truncate multiple project role badges with +N overflow
Instead of wrapping all project-specific role badges in the members
table cell, show only the first badge and a compact '+N' badge for
the remainder — matching the overflow pattern used in tables DB.
2026-05-29 13:38:27 +05:30
harsh mahajan 33c6729a2a fix: guard against null orgProjects in members table badge renderer
When listProjects fails, orgProjects is null. The optional chain on
.projects alone leaves .find() called on undefined, crashing the
table render. Add ?. before .find() to handle this safely.
2026-05-29 12:59:15 +05:30
harsh mahajan f351d44412 fix: scope project list using raw membership roles
getScopes without projectId collapses project-specific roles to
org-level scopes, so we query the membership directly to get the real
roles (e.g. project-{id}-developer). Members with project-specific
roles only see the projects they have explicit access to.
2026-05-29 12:50:03 +05:30
harsh mahajan 58c538e61f feat: scope org project list to user's project-specific roles
Members with project-specific roles (project-{id}-{role}) now only see
the projects they have explicit access to on the org overview page.
Org-level roles (owner, developer, etc.) continue to see all projects.
2026-05-29 12:45:01 +05:30
harsh mahajan f2efc378db fix: revert client-side filtering, trust backend project scoping
listProjects already returns only the projects a user has access to
based on their org/project roles. Client-side filtering was wrong.
Keep graceful degradation on listPlatforms so a flaky call can't
crash the entire org page.
2026-05-29 12:42:10 +05:30
harsh mahajan 88763df760 fix: correctly paginate after filtering inaccessible projects
Fetch all projects in one call (up to 100) before filtering, then
paginate client-side. This ensures the total count and page numbers
reflect only the projects the user can actually access, avoiding the
broken pagination that occurred when filtering server-paginated results.
2026-05-29 12:37:39 +05:30
harsh mahajan 6c75071100 fix: redirect to org instead of 404 for inaccessible projects
Restore graceful "No apps" degradation on org overview so pagination
stays correct. Add a try/catch around project.get() in the project
layout so clicking an inaccessible project card redirects back to the
org page rather than rendering a 404 error screen.
2026-05-29 12:34:35 +05:30
harsh mahajan 07d8c66c3a fix: hide inaccessible projects from org overview
Projects whose platform API call fails (inaccessible/deleted on backend)
are now filtered out of the org projects list instead of shown as broken
cards. Also corrects the displayed total to match the visible count.
2026-05-29 12:32:09 +05:30