Merge pull request #121 from hotosm/feat/drone-dashboard

fix: Resolve issues with access control and pending tasks retrieval f…

src/backend/app/tasks/task_crud.py

@@ -205,14 +205,15 @@ async def get_requested_user_id(
 
 
 async def get_project_task_by_id(db: Database, user_id: str):
-    """Get a list of pending tasks for a specific user(project creator)."""
+    """Get a list of pending tasks created by a specific user (project creator)."""
     raw_sql = """
         SELECT t.id AS task_id, te.event_id, te.user_id, te.project_id, te.comment, te.state, te.created_at
         FROM tasks t
         LEFT JOIN task_events te ON t.id = te.task_id
-        WHERE te.user_id = :user_id
+        LEFT JOIN projects p ON te.project_id = p.id
+        WHERE p.author_id = :user_id
         AND te.state = 'REQUEST_FOR_MAPPING'
         ORDER BY t.project_task_index;
     """
-    db_tasks = await db.fetch_all(raw_sql, {"user_id": user_id})
+    db_tasks = await db.fetch_all(query=raw_sql, values={"user_id": user_id})
     return db_tasks

src/backend/app/tasks/task_routes.py

@@ -218,16 +218,15 @@ async def get_pending_tasks(
     """Get a list of pending tasks for a project creator."""
     user_id = user_data.id
     query = """SELECT role FROM user_profile WHERE user_id = :user_id"""
-    record = await db.fetch_one(query, {"user_id": user_id})
-
-    if not record:
+    records = await db.fetch_all(query, {"user_id": user_id})
+    if not records:
         raise HTTPException(status_code=404, detail="User profile not found")
 
-    if record.role != UserRole.PROJECT_CREATOR.name:
+    roles = [record["role"] for record in records]
+    if UserRole.PROJECT_CREATOR.name not in roles:
         raise HTTPException(
             status_code=403, detail="Access forbidden for non-Project Creator users"
         )
-
     pending_tasks = await task_crud.get_project_task_by_id(db, user_id)
     if pending_tasks is None:
         raise HTTPException(status_code=404, detail="Project not found")