feat(feedback): in-app user feedback with admin review and account roles
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 9s
CI / integration (pull_request) Successful in 12s
CI / ui (pull_request) Successful in 47s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m12s

User-facing Feedback screen (Settings -> Info, registered accounts only): a
message (<=1024 runes) plus one optional attachment, an anti-spam gate (one
unreviewed message at a time), and the operator's inline reply with a
Settings/Info badge. Server-rendered admin console section (/_gm/feedback):
unread/read/archived queue with per-user search, detail with read/reply/
archive/delete/delete-all, safe attachment serving (nosniff, images inline via
<img>, others download-only). Introduces account_roles, the first per-account
role table; feedback_banned blocks only feedback submission, granted/revoked
from /users and the delete-with-block action.

- migration 00004_feedback (feedback_messages + account_roles) + jetgen
- backend internal/feedback (store+service), internal/account/roles.go
- wire: FlatBuffers feedback.submit/get/unread; gateway guest gate (Op.NonGuest,
  is_guest via session resolve) -> guest_forbidden before any backend call
- reply push reuses NotificationEvent with a new admin_reply sub-kind
- UI: /feedback route + screen, attachment picker, badge, channel detection, i18n
- tests: feedback unit (Go+UI), gateway guest-gate, inttest lifecycle, e2e
- docs: PLAN stage 19, ARCHITECTURE s15, FUNCTIONAL(+ru), TESTING, READMEs
This commit is contained in:
Ilia Denisov
2026-06-15 12:23:10 +02:00
parent fc848157d6
commit 419ea11b14
75 changed files with 3638 additions and 55 deletions
@@ -69,6 +69,45 @@ func TestExecuteGuestAuthOK(t *testing.T) {
}
}
// TestExecuteGuestGate verifies the NonGuest op flag: a guest is rejected with the
// guest_forbidden result code before any backend call, while a guest may still run
// an authenticated op that is not guest-gated.
func TestExecuteGuestGate(t *testing.T) {
client, cleanup := newEdge(t, func(w http.ResponseWriter, r *http.Request) {
switch r.URL.Path {
case "/api/v1/internal/sessions/resolve":
_, _ = w.Write([]byte(`{"user_id":"g-1","is_guest":true}`))
case "/api/v1/user/feedback/unread":
_, _ = w.Write([]byte(`{"reply_unread":false}`))
case "/api/v1/user/feedback":
t.Errorf("guest feedback.submit must not reach the backend")
default:
t.Errorf("unexpected backend path %s", r.URL.Path)
}
})
defer cleanup()
submit := connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgFeedbackSubmit, RequestId: "rq-1"})
submit.Header().Set("Authorization", "Bearer tok")
resp, err := client.Execute(context.Background(), submit)
if err != nil {
t.Fatalf("execute submit: %v", err)
}
if resp.Msg.GetResultCode() != "guest_forbidden" {
t.Fatalf("submit result = %q, want guest_forbidden", resp.Msg.GetResultCode())
}
unread := connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgFeedbackUnread})
unread.Header().Set("Authorization", "Bearer tok")
resp, err = client.Execute(context.Background(), unread)
if err != nil {
t.Fatalf("execute unread: %v", err)
}
if resp.Msg.GetResultCode() != "ok" {
t.Fatalf("unread result = %q, want ok", resp.Msg.GetResultCode())
}
}
func TestExecuteAuthedRequiresSession(t *testing.T) {
client, cleanup := newEdge(t, func(w http.ResponseWriter, r *http.Request) {
t.Error("backend must not be called without a session")