fix(channel): enforce read-only for members and polish chat info

- block send/forward in channels for member role on backend - expose my_role in chat payload for client-side permissions - hide message composer for channel members and show read-only notice - hide members management sections for private/saved chats in info panel - return enriched chat detail via serialize_chat_for_user
2026-03-08 02:07:37 +03:00
parent e6a271f8be
commit afeb0acbe7
7 changed files with 109 additions and 50 deletions
--- a/app/messages/service.py
+++ b/app/messages/service.py
@@ -14,6 +14,14 @@ from app.notifications.service import dispatch_message_notifications

 async def create_chat_message(db: AsyncSession, *, sender_id: int, payload: MessageCreateRequest) -> Message:
    await ensure_chat_membership(db, chat_id=payload.chat_id, user_id=sender_id)
+    chat = await chats_repository.get_chat_by_id(db, payload.chat_id)
+    if not chat:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Chat not found")
+    membership = await chats_repository.get_chat_member(db, chat_id=payload.chat_id, user_id=sender_id)
+    if not membership:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="You are not a member of this chat")
+    if chat.type == ChatType.CHANNEL and membership.role == ChatMemberRole.MEMBER:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Only admins can post in channels")
    if payload.reply_to_message_id is not None:
        reply_to = await repository.get_message_by_id(db, payload.reply_to_message_id)
        if not reply_to or reply_to.chat_id != payload.chat_id:
@@ -229,6 +237,14 @@ async def forward_message(
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Source message not found")
    await ensure_chat_membership(db, chat_id=source.chat_id, user_id=sender_id)
    await ensure_chat_membership(db, chat_id=payload.target_chat_id, user_id=sender_id)
+    target_chat = await chats_repository.get_chat_by_id(db, payload.target_chat_id)
+    if not target_chat:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Chat not found")
+    target_membership = await chats_repository.get_chat_member(db, chat_id=payload.target_chat_id, user_id=sender_id)
+    if not target_membership:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="You are not a member of this chat")
+    if target_chat.type == ChatType.CHANNEL and target_membership.role == ChatMemberRole.MEMBER:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Only admins can post in channels")
    forwarded = await repository.create_message(
        db,
        chat_id=payload.target_chat_id,