fastapi
diff --git a/‎backend/app/alembic/versions/2025110301_add_project_access_table.py‎
Lines changed: 51 additions & 0 deletions b/‎backend/app/alembic/versions/2025110301_add_project_access_table.py‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎backend/app/alembic/versions/2025110302_add_organization_invitation_table.py‎
Lines changed: 36 additions & 0 deletions b/‎backend/app/alembic/versions/2025110302_add_organization_invitation_table.py‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎backend/app/api/main.py‎
Lines changed: 4 additions & 1 deletion b/‎backend/app/api/main.py‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎backend/app/api/routes/galleries.py‎
Lines changed: 97 additions & 23 deletions b/‎backend/app/api/routes/galleries.py‎
Lines changed: 97 additions & 23 deletions
diff --git a/‎backend/app/api/routes/invitations.py‎
Lines changed: 105 additions & 0 deletions b/‎backend/app/api/routes/invitations.py‎
Lines changed: 105 additions & 0 deletions
@@ -0,0 +1,51 @@
+"""Add project_access table for client invitations
+
+Revision ID: 2025110301
+Revises: 2025110201
+Create Date: 2025-11-03 00:00:00.000000
+
+"""
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel.sql.sqltypes
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = '2025110301'
+down_revision = '2025110201'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # Create project_access table
+    op.create_table(
+        'projectaccess',
+        sa.Column('id', sa.UUID(), nullable=False),
+        sa.Column('role', sqlmodel.sql.sqltypes.AutoString(length=50), nullable=False, server_default='viewer'),
+        sa.Column('can_comment', sa.Boolean(), nullable=False, server_default='true'),
+        sa.Column('can_download', sa.Boolean(), nullable=False, server_default='true'),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.Column('project_id', sa.UUID(), nullable=False),
+        sa.Column('user_id', sa.UUID(), nullable=False),
+        sa.ForeignKeyConstraint(['project_id'], ['project.id'], ondelete='CASCADE'),
+        sa.ForeignKeyConstraint(['user_id'], ['user.id'], ondelete='CASCADE'),
+        sa.PrimaryKeyConstraint('id')
+    )
+    
+    # Create index for faster lookups
+    op.create_index('ix_projectaccess_project_id', 'projectaccess', ['project_id'])
+    op.create_index('ix_projectaccess_user_id', 'projectaccess', ['user_id'])
+    
+    # Create unique constraint to prevent duplicate access entries
+    op.create_unique_constraint('uq_projectaccess_project_user', 'projectaccess', ['project_id', 'user_id'])
+
+
+def downgrade():
+    # Drop indexes
+    op.drop_index('ix_projectaccess_user_id', 'projectaccess')
+    op.drop_index('ix_projectaccess_project_id', 'projectaccess')
+    
+    # Drop table
+    op.drop_table('projectaccess')
+
@@ -0,0 +1,36 @@
+"""add organization invitation table
+
+Revision ID: 2025110302
+Revises: 2025110301
+Create Date: 2025-11-03
+
+"""
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = '2025110302'
+down_revision = '2025110301'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        'organizationinvitation',
+        sa.Column('email', sqlmodel.sql.sqltypes.AutoString(length=255), nullable=False),
+        sa.Column('id', sa.Uuid(), nullable=False),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.Column('organization_id', sa.Uuid(), nullable=False),
+        sa.ForeignKeyConstraint(['organization_id'], ['organization.id'], ondelete='CASCADE'),
+        sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_organizationinvitation_email'), 'organizationinvitation', ['email'], unique=False)
+
+
+def downgrade():
+    op.drop_index(op.f('ix_organizationinvitation_email'), table_name='organizationinvitation')
+    op.drop_table('organizationinvitation')
+
@@ -1,14 +1,17 @@
 from fastapi import APIRouter
 
-from app.api.routes import galleries, items, login, private, projects, users, utils
+from app.api.routes import galleries, invitations, items, login, organizations, private, project_access, projects, users, utils
 from app.core.config import settings
 
 api_router = APIRouter()
 api_router.include_router(login.router)
 api_router.include_router(users.router)
 api_router.include_router(utils.router)
 api_router.include_router(items.router)
+api_router.include_router(organizations.router, prefix="/organizations", tags=["organizations"])
 api_router.include_router(projects.router, prefix="/projects", tags=["projects"])
+api_router.include_router(project_access.router, prefix="/projects", tags=["project-access"])
+api_router.include_router(invitations.router, prefix="/invitations", tags=["invitations"])
 api_router.include_router(galleries.router, prefix="/galleries", tags=["galleries"])
 
 
 
@@ -26,33 +26,71 @@ def read_galleries(
 ) -> Any:
     """
     Retrieve galleries. If project_id is provided, get galleries for that project.
-    Otherwise, get all galleries for the user's organization.
+    Otherwise, get all galleries based on user type:
+    - Team members: all galleries from their organization
+    - Clients: galleries from projects they have access to
     """
-    if not current_user.organization_id:
-        raise HTTPException(
-            status_code=400, detail="User is not part of an organization"
-        )
+    user_type = getattr(current_user, "user_type", None)
 
     if project_id:
-        # Verify project belongs to user's organization
+        # Verify user has access to this project
         project = crud.get_project(session=session, project_id=project_id)
-        if not project or project.organization_id != current_user.organization_id:
-            raise HTTPException(status_code=403, detail="Not enough permissions")
+        if not project:
+            raise HTTPException(status_code=404, detail="Project not found")
+        
+        # Check access based on user type
+        if user_type == "client":
+            # Client must have explicit access
+            if not crud.user_has_project_access(
+                session=session, project_id=project_id, user_id=current_user.id
+            ):
+                raise HTTPException(status_code=403, detail="Not enough permissions")
+        else:
+            # Team member must be in same organization
+            if not current_user.organization_id or project.organization_id != current_user.organization_id:
+                raise HTTPException(status_code=403, detail="Not enough permissions")
 
         galleries = crud.get_galleries_by_project(
             session=session, project_id=project_id, skip=skip, limit=limit
         )
         count = len(galleries)  # Simple count for project galleries
     else:
-        galleries = crud.get_galleries_by_organization(
-            session=session,
-            organization_id=current_user.organization_id,
-            skip=skip,
-            limit=limit,
-        )
-        count = crud.count_galleries_by_organization(
-            session=session, organization_id=current_user.organization_id
-        )
+        # No specific project - list all accessible galleries
+        if user_type == "client":
+            # Get galleries from all projects the client has access to
+            accessible_projects = crud.get_user_accessible_projects(
+                session=session, user_id=current_user.id, skip=0, limit=1000
+            )
+            project_ids = [p.id for p in accessible_projects]
+            
+            # Get galleries for all accessible projects
+            galleries = []
+            for pid in project_ids[skip:skip+limit]:
+                project_galleries = crud.get_galleries_by_project(
+                    session=session, project_id=pid, skip=0, limit=100
+                )
+                galleries.extend(project_galleries)
+            
+            count = sum(
+                len(crud.get_galleries_by_project(session=session, project_id=pid, skip=0, limit=1000))
+                for pid in project_ids
+            )
+        else:
+            # Team member - get all galleries from organization
+            if not current_user.organization_id:
+                raise HTTPException(
+                    status_code=400, detail="User is not part of an organization"
+                )
+            
+            galleries = crud.get_galleries_by_organization(
+                session=session,
+                organization_id=current_user.organization_id,
+                skip=skip,
+                limit=limit,
+            )
+            count = crud.count_galleries_by_organization(
+                session=session, organization_id=current_user.organization_id
+            )
 
     return GalleriesPublic(data=galleries, count=count)
 
@@ -62,8 +100,16 @@ def create_gallery(
     *, session: SessionDep, current_user: CurrentUser, gallery_in: GalleryCreate
 ) -> Any:
     """
-    Create new gallery.
+    Create new gallery. Only team members can create galleries.
     """
+    user_type = getattr(current_user, "user_type", None)
+    
+    # Only team members can create galleries
+    if user_type != "team_member":
+        raise HTTPException(
+            status_code=403, detail="Only team members can create galleries"
+        )
+    
     if not current_user.organization_id:
         raise HTTPException(
             status_code=400, detail="User is not part of an organization"
@@ -87,10 +133,22 @@ def read_gallery(session: SessionDep, current_user: CurrentUser, id: uuid.UUID)
     if not gallery:
         raise HTTPException(status_code=404, detail="Gallery not found")
 
-    # Check if gallery's project belongs to user's organization
+    # Check access based on user type
+    user_type = getattr(current_user, "user_type", None)
     project = crud.get_project(session=session, project_id=gallery.project_id)
-    if not project or project.organization_id != current_user.organization_id:
-        raise HTTPException(status_code=403, detail="Not enough permissions")
+    if not project:
+        raise HTTPException(status_code=404, detail="Project not found")
+    
+    if user_type == "client":
+        # Client must have access to the project
+        if not crud.user_has_project_access(
+            session=session, project_id=project.id, user_id=current_user.id
+        ):
+            raise HTTPException(status_code=403, detail="Not enough permissions")
+    else:
+        # Team member must be in same organization
+        if not current_user.organization_id or project.organization_id != current_user.organization_id:
+            raise HTTPException(status_code=403, detail="Not enough permissions")
 
     return gallery
 
@@ -104,8 +162,16 @@ def update_gallery(
     gallery_in: GalleryUpdate,
 ) -> Any:
     """
-    Update a gallery.
+    Update a gallery. Only team members can update galleries.
     """
+    user_type = getattr(current_user, "user_type", None)
+    
+    # Only team members can update galleries
+    if user_type != "team_member":
+        raise HTTPException(
+            status_code=403, detail="Only team members can update galleries"
+        )
+    
     gallery = crud.get_gallery(session=session, gallery_id=id)
     if not gallery:
         raise HTTPException(status_code=404, detail="Gallery not found")
@@ -126,8 +192,16 @@ def delete_gallery(
     session: SessionDep, current_user: CurrentUser, id: uuid.UUID
 ) -> Message:
     """
-    Delete a gallery.
+    Delete a gallery. Only team members can delete galleries.
     """
+    user_type = getattr(current_user, "user_type", None)
+    
+    # Only team members can delete galleries
+    if user_type != "team_member":
+        raise HTTPException(
+            status_code=403, detail="Only team members can delete galleries"
+        )
+    
     gallery = crud.get_gallery(session=session, gallery_id=id)
     if not gallery:
         raise HTTPException(status_code=404, detail="Gallery not found")
 
@@ -0,0 +1,105 @@
+import uuid
+from typing import Any
+
+from fastapi import APIRouter, HTTPException
+from sqlmodel import func, select
+
+from app.api.deps import CurrentUser, SessionDep
+from app.models import (
+    OrganizationInvitation,
+    OrganizationInvitationCreate,
+    OrganizationInvitationPublic,
+    OrganizationInvitationsPublic,
+)
+
+router = APIRouter()
+
+
+@router.post("/", response_model=OrganizationInvitationPublic)
+def create_invitation(
+    *,
+    session: SessionDep,
+    current_user: CurrentUser,
+    invitation_in: OrganizationInvitationCreate,
+) -> Any:
+    """
+    Create an organization invitation.
+    Team members can invite people to their organization.
+    """
+    if not current_user.organization_id:
+        raise HTTPException(
+            status_code=400,
+            detail="You must be part of an organization to invite others",
+        )
+
+    # Check if invitation already exists
+    statement = select(OrganizationInvitation).where(
+        OrganizationInvitation.email == invitation_in.email,
+        OrganizationInvitation.organization_id == current_user.organization_id,
+    )
+    existing = session.exec(statement).first()
+    if existing:
+        raise HTTPException(
+            status_code=400,
+            detail="An invitation has already been sent to this email",
+        )
+
+    invitation = OrganizationInvitation(
+        email=invitation_in.email,
+        organization_id=current_user.organization_id,
+    )
+    session.add(invitation)
+    session.commit()
+    session.refresh(invitation)
+    return invitation
+
+
+@router.get("/", response_model=OrganizationInvitationsPublic)
+def read_invitations(
+    session: SessionDep, current_user: CurrentUser, skip: int = 0, limit: int = 100
+) -> Any:
+    """
+    Retrieve invitations for the current user's organization.
+    """
+    if not current_user.organization_id:
+        raise HTTPException(
+            status_code=400,
+            detail="You must be part of an organization",
+        )
+
+    count_statement = (
+        select(func.count())
+        .select_from(OrganizationInvitation)
+        .where(OrganizationInvitation.organization_id == current_user.organization_id)
+    )
+    count = session.exec(count_statement).one()
+
+    statement = (
+        select(OrganizationInvitation)
+        .where(OrganizationInvitation.organization_id == current_user.organization_id)
+        .offset(skip)
+        .limit(limit)
+    )
+    invitations = session.exec(statement).all()
+
+    return OrganizationInvitationsPublic(data=invitations, count=count)
+
+
+@router.delete("/{invitation_id}")
+def delete_invitation(
+    session: SessionDep, current_user: CurrentUser, invitation_id: uuid.UUID
+) -> Any:
+    """
+    Delete an invitation.
+    """
+    invitation = session.get(OrganizationInvitation, invitation_id)
+    if not invitation:
+        raise HTTPException(status_code=404, detail="Invitation not found")
+
+    if invitation.organization_id != current_user.organization_id:
+        raise HTTPException(status_code=403, detail="Not enough permissions")
+
+    session.delete(invitation)
+    session.commit()
+    return {"message": "Invitation deleted"}
+