feat: admin/owner role management on group page (#912)

* feat: add endpoint for managing member admin/owner roles

Add PATCH /api/groups/:groupId/members/:userId/role endpoint that allows
admins to grant admin privileges and owners to revoke admin or transfer
ownership. Uses existing GroupService.updateGroup for persistence.

* feat: add role management UI to group member list

Add dropdown menu per member in the signing status sidebar allowing
admins to grant admin privileges and owners to revoke admin or transfer
ownership. Controls are only visible to users with appropriate permissions.

* fix: allow admins to remove admin, show members without charter

- Remove admin button now visible to all admins, not just owners
- Backend allows admins to revoke admin privileges from other admins
- Members list renders on group page even when no charter exists
- Hide signing status indicators when no charter is present

* fix: replace lock-based webhook rejection with timestamp check for chats

Instead of blindly rejecting chat webhooks when the ID is locked,
compare updatedAt timestamps and accept the update if the incoming
data is more recent than what we have locally.

Author: coodos

platforms/blabsy/api/src/controllers/WebhookController.ts

@@ -94,40 +94,47 @@ export class WebhookController {
                 axios.post(new URL("blabsy", process.env.ANCHR_URL).toString(), req.body)
             }
 
-            // Early duplicate check
-            if (adapter.lockedIds.includes(id)) {
+            const mapping = Object.values(adapter.mapping).find(
+                (m) => m.schemaId === schemaId,
+            );
+            if (!mapping) throw new Error();
+            const tableName = mapping.tableName + "s";
+
+            // For chats, skip the lock check and use timestamp comparison instead
+            const isChatData = tableName === "chats";
+
+            if (!isChatData && adapter.lockedIds.includes(id)) {
                 console.log(`Webhook skipped - ID ${id} already locked`);
                 return res.status(200).json({ success: true, skipped: true });
             }
 
             console.log(`Processing webhook for ID: ${id}`);
-            
-            // Lock the global ID immediately to prevent duplicates
-            adapter.addToLockedIds(id);
 
-            const mapping = Object.values(adapter.mapping).find(
-                (m) => m.schemaId === schemaId,
-            );
-            if (!mapping) throw new Error();
-            const tableName = mapping.tableName + "s";
+            // Lock the global ID immediately to prevent duplicates (non-chat)
+            if (!isChatData) {
+                adapter.addToLockedIds(id);
+            }
 
             const local = await adapter.fromGlobal({ data, mapping });
 
-            console.log("Webhook data received:", { 
-                globalId: id, 
-                tableName, 
+            console.log("Webhook data received:", {
+                globalId: id,
+                tableName,
                 hasEname: !!local.data.ename,
-                ename: local.data.ename 
+                ename: local.data.ename
             });
-            
+
             // Get the local ID from the mapping database
             const localId = await adapter.mappingDb.getLocalId(id);
 
             if (localId) {
                 console.log(`LOCAL, updating - ID: ${id}, LocalID: ${localId}`);
-                // Lock local ID early to prevent duplicate processing
-                adapter.addToLockedIds(localId);
-                await this.updateRecord(tableName, localId, local.data);
+                if (isChatData) {
+                    await this.updateChatIfNewer(localId, local.data);
+                } else {
+                    adapter.addToLockedIds(localId);
+                    await this.updateRecord(tableName, localId, local.data);
+                }
             } else {
                 console.log(`NOT LOCAL, creating - ID: ${id}`);
                 await this.createRecord(tableName, local.data, req.body.id);
@@ -252,6 +259,33 @@ export class WebhookController {
         const mappedData = await this.mapDataToFirebase(tableName, data);
         await docRef.update(mappedData);
     }
+
+    private async updateChatIfNewer(localId: string, data: any) {
+        const docRef = this.db.collection("chats").doc(localId);
+        const docSnapshot = await docRef.get();
+
+        if (!docSnapshot.exists) {
+            console.warn(`Chat document '${localId}' does not exist. Skipping update.`);
+            return;
+        }
+
+        const existing = docSnapshot.data();
+        const mappedData = this.mapChatData(data, Timestamp.now());
+
+        // Compare updatedAt timestamps - accept if incoming is more recent
+        const existingUpdatedAt = existing?.updatedAt?.toMillis?.() ?? 0;
+        const incomingUpdatedAt = mappedData.updatedAt?.toMillis?.() ?? 0;
+
+        if (incomingUpdatedAt < existingUpdatedAt) {
+            console.log(`Chat ${localId} webhook skipped - local data is more recent (local: ${existingUpdatedAt}, incoming: ${incomingUpdatedAt})`);
+            return;
+        }
+
+        adapter.addToLockedIds(localId);
+        await docRef.update(mappedData);
+        console.log(`Chat ${localId} updated via webhook (timestamp check passed)`);
+    }
+
     private mapDataToFirebase(tableName: string, data: any): any {
         const now = Timestamp.now();
         console.log("MAPPING DATA TO ", tableName);

platforms/group-charter-manager/api/src/controllers/GroupController.ts

@@ -338,6 +338,74 @@ export class GroupController {
         }
     }
 
+    async updateMemberRole(req: Request, res: Response) {
+        try {
+            const { groupId, userId: targetUserId } = req.params;
+            const requestingUserId = (req as any).user?.id;
+
+            if (!requestingUserId) {
+                return res.status(401).json({ error: "Unauthorized" });
+            }
+
+            const { role } = req.body;
+            if (!["admin", "member", "owner"].includes(role)) {
+                return res.status(400).json({ error: "Invalid role. Must be 'admin', 'member', or 'owner'" });
+            }
+
+            const group = await this.groupService.getGroupById(groupId);
+            if (!group) {
+                return res.status(404).json({ error: "Group not found" });
+            }
+
+            // Verify target user is a participant
+            if (!group.participants.some(p => p.id === targetUserId)) {
+                return res.status(400).json({ error: "User is not a participant in this group" });
+            }
+
+            const isOwner = group.owner === requestingUserId;
+            const isAdmin = group.admins?.includes(requestingUserId);
+
+            if (!isOwner && !isAdmin) {
+                return res.status(403).json({ error: "Access denied" });
+            }
+
+            const currentAdmins = group.admins || [];
+
+            if (role === "admin") {
+                // Grant admin - admins and owners can do this
+                if (currentAdmins.includes(targetUserId)) {
+                    return res.status(400).json({ error: "User is already an admin" });
+                }
+                const newAdmins = [...currentAdmins, targetUserId];
+                await this.groupService.updateGroup(groupId, { admins: newAdmins } as any);
+            } else if (role === "member") {
+                // Remove admin - admins and owners can do this
+                if (targetUserId === group.owner) {
+                    return res.status(400).json({ error: "Cannot demote the owner" });
+                }
+                const newAdmins = currentAdmins.filter(id => id !== targetUserId);
+                await this.groupService.updateGroup(groupId, { admins: newAdmins } as any);
+            } else if (role === "owner") {
+                // Transfer ownership - only owner can do this
+                if (!isOwner) {
+                    return res.status(403).json({ error: "Only the owner can transfer ownership" });
+                }
+                // Old owner becomes admin, new owner gets added to admins if not already
+                let newAdmins = currentAdmins.includes(requestingUserId) ? [...currentAdmins] : [...currentAdmins, requestingUserId];
+                if (!newAdmins.includes(targetUserId)) {
+                    newAdmins.push(targetUserId);
+                }
+                await this.groupService.updateGroup(groupId, { owner: targetUserId, admins: newAdmins } as any);
+            }
+
+            const updatedGroup = await this.groupService.getGroupById(groupId);
+            res.json(updatedGroup);
+        } catch (error) {
+            console.error("Error updating member role:", error);
+            res.status(500).json({ error: "Internal server error" });
+        }
+    }
+
     async getCharterSigningStatus(req: Request, res: Response) {
         try {
             const { id } = req.params;

platforms/group-charter-manager/api/src/index.ts

@@ -157,6 +157,7 @@ app.get("/api/signing/sessions/:sessionId", authGuard, (req, res) => {
 app.get("/api/groups/:groupId", authGuard, groupController.getGroup.bind(groupController));
 app.post("/api/groups/:groupId/participants", authGuard, groupController.addParticipants.bind(groupController));
 app.delete("/api/groups/:groupId/participants/:userId", authGuard, groupController.removeParticipant.bind(groupController));
+app.patch("/api/groups/:groupId/members/:userId/role", authGuard, groupController.updateMemberRole.bind(groupController));
 
 // Start server
 app.listen(port, () => {

platforms/group-charter-manager/client/src/app/charter/[id]/page.tsx

@@ -419,12 +419,13 @@ export default function CharterDetail({
                     )}
 
                     {/* Charter Signing Status */}
-                    {group.charter && (
-                        <CharterSigningStatus
-                            groupId={group.id}
-                            charterContent={group.charter}
-                        />
-                    )}
+                    <CharterSigningStatus
+                        groupId={group.id}
+                        charterContent={group.charter || ""}
+                        currentUserId={user?.id}
+                        currentUserIsAdmin={group.admins?.includes(user?.id || '') || false}
+                        currentUserIsOwner={group.owner === user?.id}
+                    />
                 </div>
             </div>
 

platforms/group-charter-manager/client/src/components/charter-signing-status.tsx

@@ -1,15 +1,25 @@
 "use client";
 
 import { useState, useEffect } from "react";
-import { CheckCircle, Circle, AlertTriangle } from "lucide-react";
+import { CheckCircle, Circle, AlertTriangle, MoreVertical, Shield, ShieldOff, Crown } from "lucide-react";
 import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+    DropdownMenu,
+    DropdownMenuContent,
+    DropdownMenuItem,
+    DropdownMenuTrigger,
+} from "@/components/ui/dropdown-menu";
 import { apiClient } from "@/lib/apiClient";
 import { useToast } from "@/hooks/use-toast";
 
 interface CharterSigningStatusProps {
     groupId: string;
     charterContent: string;
+    currentUserId?: string;
+    currentUserIsAdmin?: boolean;
+    currentUserIsOwner?: boolean;
 }
 
 interface Participant {
@@ -28,7 +38,7 @@ interface SigningStatus {
     isSigned: boolean;
 }
 
-export function CharterSigningStatus({ groupId, charterContent }: CharterSigningStatusProps) {
+export function CharterSigningStatus({ groupId, charterContent, currentUserId, currentUserIsAdmin, currentUserIsOwner }: CharterSigningStatusProps) {
     const [signingStatus, setSigningStatus] = useState<SigningStatus | null>(null);
     const [loading, setLoading] = useState(true);
     const { toast } = useToast();
@@ -54,6 +64,28 @@ export function CharterSigningStatus({ groupId, charterContent }: CharterSigning
         }
     };
 
+    const handleRoleChange = async (targetUserId: string, newRole: "admin" | "member" | "owner") => {
+        if (newRole === "owner" && !window.confirm("Are you sure you want to transfer ownership? This cannot be undone.")) {
+            return;
+        }
+        try {
+            await apiClient.patch(`/api/groups/${groupId}/members/${targetUserId}/role`, { role: newRole });
+            toast({
+                title: "Success",
+                description: newRole === "admin" ? "Admin privileges granted" : newRole === "member" ? "Admin privileges removed" : "Ownership transferred",
+            });
+            fetchSigningStatus();
+        } catch (error: any) {
+            toast({
+                title: "Error",
+                description: error.response?.data?.error || "Failed to update role",
+                variant: "destructive",
+            });
+        }
+    };
+
+    const canManageRoles = currentUserIsAdmin || currentUserIsOwner;
+
 
 
     if (loading) {
@@ -102,22 +134,25 @@ export function CharterSigningStatus({ groupId, charterContent }: CharterSigning
                                 className="flex items-center justify-between p-3 bg-gray-50 rounded-lg"
                             >
                                 <div className="flex items-center gap-3">
-                                    {participant.hasSigned ? (
-                                        <CheckCircle className="h-5 w-5 text-green-600" />
-                                    ) : (
-                                        <Circle className="h-5 w-5 text-gray-400" />
-                                    )}
+                                    {charterContent ? (
+                                        participant.hasSigned ? (
+                                            <CheckCircle className="h-5 w-5 text-green-600" />
+                                        ) : (
+                                            <Circle className="h-5 w-5 text-gray-400" />
+                                        )
+                                    ) : null}
                                     <div>
                                         <p className="font-medium text-sm">
                                             {participant.name || participant.ename || 'Unknown User'}
                                         </p>
-                                        <p className="text-xs text-gray-500">
-                                            {participant.hasSigned ? 'Signed' : 'Not signed yet'}
-                                        </p>
+                                        {charterContent && (
+                                            <p className="text-xs text-gray-500">
+                                                {participant.hasSigned ? 'Signed' : 'Not signed yet'}
+                                            </p>
+                                        )}
                                     </div>
                                 </div>
                                 <div className="flex items-center gap-2">
-                                    {/* Show admin role if applicable */}
                                     {participant.isAdmin && (
                                         <Badge variant="secondary" className="text-xs">
                                             Admin
@@ -128,6 +163,35 @@ export function CharterSigningStatus({ groupId, charterContent }: CharterSigning
                                             Owner
                                         </Badge>
                                     )}
+                                    {canManageRoles && participant.id !== currentUserId && (
+                                        <DropdownMenu>
+                                            <DropdownMenuTrigger asChild>
+                                                <Button variant="ghost" size="icon" className="h-7 w-7">
+                                                    <MoreVertical className="h-4 w-4" />
+                                                </Button>
+                                            </DropdownMenuTrigger>
+                                            <DropdownMenuContent align="end">
+                                                {!participant.isAdmin && !participant.isOwner && (
+                                                    <DropdownMenuItem onClick={() => handleRoleChange(participant.id, "admin")}>
+                                                        <Shield className="mr-2 h-4 w-4" />
+                                                        Make Admin
+                                                    </DropdownMenuItem>
+                                                )}
+                                                {participant.isAdmin && !participant.isOwner && (
+                                                    <DropdownMenuItem onClick={() => handleRoleChange(participant.id, "member")}>
+                                                        <ShieldOff className="mr-2 h-4 w-4" />
+                                                        Remove Admin
+                                                    </DropdownMenuItem>
+                                                )}
+                                                {!participant.isOwner && currentUserIsOwner && (
+                                                    <DropdownMenuItem className="text-amber-600" onClick={() => handleRoleChange(participant.id, "owner")}>
+                                                        <Crown className="mr-2 h-4 w-4" />
+                                                        Transfer Ownership
+                                                    </DropdownMenuItem>
+                                                )}
+                                            </DropdownMenuContent>
+                                        </DropdownMenu>
+                                    )}
                                 </div>
                             </div>
                         ))}