feat(api): let invited collaborators see private tracks they're on#945
Merged
Conversation
A collaborator (pending or accepted) couldn't see an unlisted track they were invited to outside the single-track endpoint (which sets IncludeUnlisted), so a private collaboration never showed on their profile/feeds. - get_tracks.sql: an unlisted track is also visible to a user who is an active (pending/accepted, not rejected) collaborator on it. Scoped to collaborator_user_id = @my_id, so it never leaks to other viewers. The EXISTS only evaluates for unlisted tracks (the OR short-circuits public ones) and only for the already-bounded @ids set, indexed by the track_collaborators PK. - v1_users_tracks.go: surface a user's own unlisted accepted collaborations on their own profile (guarded by @my_id = @user_id); hidden from everyone else. Tested: collaborator sees the private track, non-collaborator and rejected collaborator do not. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to the collaborative-tracks feature: a collaborator can now see a private (unlisted) track they've been invited to, so the feature works end-to-end on private tracks (their profile, feeds, etc.).
Background
The single-track endpoint already sets
IncludeUnlisted: true, so the track page and the invite notification'suseTrackalready loaded an unlisted track. But the profile and otherget_trackspaths don't set that flag, so a private collaboration was hidden from the collaborator everywhere except the direct track link.Changes
get_tracks.sql— an unlisted track is also visible to a user who is an active collaborator on it (status IN ('pending','accepted')). Pending is included so an invited collaborator can view the track to decide. Scoped tocollaborator_user_id = @my_id, so it never leaks to other viewers.v1_users_tracks.go— surface a user's own unlisted accepted collaborations on their own profile (guarded by@my_id = @user_id); hidden from everyone else.Safety / performance
get_tracksEXISTSonly runs for unlisted tracks (theORshort-circuits public ones) and only over the already-bounded@idsset, served by thetrack_collaboratorsPK — not the kind of unbounded scan that bit feat(api): collaborative tracks — notifications, embed, profile + dashboard merge #932.Tests
TestCollaboratorSeesPrivateTrack: a pending collaborator sees the private track; a non-collaborator (user 2) does not; a rejected collaborator does not. Existing collaborator + user-tracks suites still pass.🤖 Generated with Claude Code