Coverage for mcpgateway / services / team_management_service.py: 100%

1# -*- coding: utf-8 -*- 

2"""Location: ./mcpgateway/services/team_management_service.py 

3Copyright 2025 

4SPDX-License-Identifier: Apache-2.0 

5Authors: Mihai Criveti 

6 

7Team Management Service. 

8This module provides team creation, management, and membership operations 

9for the multi-team collaboration system. 

10 

11Examples: 

12 >>> from unittest.mock import Mock 

13 >>> service = TeamManagementService(Mock()) 

14 >>> isinstance(service, TeamManagementService) 

15 True 

16 >>> hasattr(service, 'db') 

17 True 

18""" 

19 

20# Standard 

21import asyncio 

22import base64 

23from datetime import datetime, timedelta 

24from typing import Any, Dict, List, Optional, Tuple, Union 

25 

26# Third-Party 

27import orjson 

28from sqlalchemy import and_, desc, func, or_, select 

29from sqlalchemy.orm import selectinload, Session 

30 

31# First-Party 

32from mcpgateway.cache.admin_stats_cache import admin_stats_cache 

33from mcpgateway.cache.auth_cache import auth_cache 

34from mcpgateway.config import settings 

35from mcpgateway.db import EmailTeam, EmailTeamJoinRequest, EmailTeamMember, EmailTeamMemberHistory, EmailUser, utc_now 

36from mcpgateway.services.logging_service import LoggingService 

37from mcpgateway.utils.pagination import unified_paginate 

38 

39# Initialize logging 

40logging_service = LoggingService() 

41logger = logging_service.get_logger(__name__) 

42 

43 

44class TeamManagementService: 

45 """Service for team management operations. 

46 

47 This service handles team creation, membership management, 

48 role assignments, and team access control. 

49 

50 Attributes: 

51 db (Session): SQLAlchemy database session 

52 

53 Examples: 

54 >>> from unittest.mock import Mock 

55 >>> service = TeamManagementService(Mock()) 

56 >>> service.__class__.__name__ 

57 'TeamManagementService' 

58 >>> hasattr(service, 'db') 

59 True 

60 """ 

61 

62 def __init__(self, db: Session): 

63 """Initialize the team management service. 

64 

65 Args: 

66 db: SQLAlchemy database session 

67 

68 Examples: 

69 Basic initialization: 

70 >>> from mcpgateway.services.team_management_service import TeamManagementService 

71 >>> from unittest.mock import Mock 

72 >>> db_session = Mock() 

73 >>> service = TeamManagementService(db_session) 

74 >>> service.db is db_session 

75 True 

76 

77 Service attributes: 

78 >>> hasattr(service, 'db') 

79 True 

80 >>> service.__class__.__name__ 

81 'TeamManagementService' 

82 """ 

83 self.db = db 

84 

85 def _log_team_member_action(self, team_member_id: str, team_id: str, user_email: str, role: str, action: str, action_by: Optional[str]): 

86 """ 

87 Log a team member action to EmailTeamMemberHistory. 

88 

89 Args: 

90 team_member_id: ID of the EmailTeamMember 

91 team_id: Team ID 

92 user_email: Email of the affected user 

93 role: Role at the time of action 

94 action: Action type ("added", "removed", "reactivated", "role_changed") 

95 action_by: Email of the user who performed the action 

96 

97 Examples: 

98 >>> from mcpgateway.services.team_management_service import TeamManagementService 

99 >>> from unittest.mock import Mock 

100 >>> service = TeamManagementService(Mock()) 

101 >>> service._log_team_member_action("tm-123", "team-123", "user@example.com", "member", "added", "admin@example.com") 

102 """ 

103 history = EmailTeamMemberHistory(team_member_id=team_member_id, team_id=team_id, user_email=user_email, role=role, action=action, action_by=action_by, action_timestamp=utc_now()) 

104 self.db.add(history) 

105 self.db.commit() 

106 

107 async def create_team(self, name: str, description: Optional[str], created_by: str, visibility: Optional[str] = "public", max_members: Optional[int] = None) -> EmailTeam: 

108 """Create a new team. 

109 

110 Args: 

111 name: Team name 

112 description: Team description 

113 created_by: Email of the user creating the team 

114 visibility: Team visibility (private, team, public) 

115 max_members: Maximum number of team members allowed 

116 

117 Returns: 

118 EmailTeam: The created team 

119 

120 Raises: 

121 ValueError: If team name is taken or invalid 

122 Exception: If team creation fails 

123 

124 Examples: 

125 Team creation parameter validation: 

126 >>> from mcpgateway.services.team_management_service import TeamManagementService 

127 

128 Test team name validation: 

129 >>> team_name = "My Development Team" 

130 >>> len(team_name) > 0 

131 True 

132 >>> len(team_name) <= 255 

133 True 

134 >>> bool(team_name.strip()) 

135 True 

136 

137 Test visibility validation: 

138 >>> visibility = "private" 

139 >>> valid_visibilities = ["private", "public"] 

140 >>> visibility in valid_visibilities 

141 True 

142 >>> "invalid" in valid_visibilities 

143 False 

144 

145 Test max_members validation: 

146 >>> max_members = 50 

147 >>> isinstance(max_members, int) 

148 True 

149 >>> max_members > 0 

150 True 

151 

152 Test creator validation: 

153 >>> created_by = "admin@example.com" 

154 >>> "@" in created_by 

155 True 

156 >>> len(created_by) > 0 

157 True 

158 

159 Test description handling: 

160 >>> description = "A team for software development" 

161 >>> description is not None 

162 True 

163 >>> isinstance(description, str) 

164 True 

165 

166 >>> # Test None description 

167 >>> description_none = None 

168 >>> description_none is None 

169 True 

170 """ 

171 try: 

172 # Validate visibility 

173 valid_visibilities = ["private", "public"] 

174 if visibility not in valid_visibilities: 

175 raise ValueError(f"Invalid visibility. Must be one of: {', '.join(valid_visibilities)}") 

176 

177 # Apply default max members from settings 

178 if max_members is None: 

179 max_members = getattr(settings, "max_members_per_team", 100) 

180 

181 # Check for existing inactive team with same name 

182 # First-Party 

183 from mcpgateway.utils.create_slug import slugify # pylint: disable=import-outside-toplevel 

184 

185 potential_slug = slugify(name) 

186 existing_inactive_team = self.db.query(EmailTeam).filter(EmailTeam.slug == potential_slug, EmailTeam.is_active.is_(False)).first() 

187 

188 if existing_inactive_team: 

189 # Reactivate the existing team with new details 

190 existing_inactive_team.name = name 

191 existing_inactive_team.description = description 

192 existing_inactive_team.created_by = created_by 

193 existing_inactive_team.visibility = visibility 

194 existing_inactive_team.max_members = max_members 

195 existing_inactive_team.is_active = True 

196 existing_inactive_team.updated_at = utc_now() 

197 team = existing_inactive_team 

198 

199 # Check if the creator already has an inactive membership 

200 existing_membership = self.db.query(EmailTeamMember).filter(EmailTeamMember.team_id == team.id, EmailTeamMember.user_email == created_by).first() 

201 

202 if existing_membership: 

203 # Reactivate existing membership as owner 

204 existing_membership.role = "owner" 

205 existing_membership.joined_at = utc_now() 

206 existing_membership.is_active = True 

207 membership = existing_membership 

208 else: 

209 # Create new membership 

210 membership = EmailTeamMember(team_id=team.id, user_email=created_by, role="owner", joined_at=utc_now(), is_active=True) 

211 self.db.add(membership) 

212 

213 logger.info(f"Reactivated existing team with slug {potential_slug}") 

214 else: 

215 # Create the team (slug will be auto-generated by event listener) 

216 team = EmailTeam(name=name, description=description, created_by=created_by, is_personal=False, visibility=visibility, max_members=max_members, is_active=True) 

217 self.db.add(team) 

218 

219 self.db.flush() # Get the team ID 

220 

221 # Add the creator as owner 

222 membership = EmailTeamMember(team_id=team.id, user_email=created_by, role="owner", joined_at=utc_now(), is_active=True) 

223 self.db.add(membership) 

224 

225 self.db.commit() 

226 

227 # Invalidate member count cache for the new team 

228 await self.invalidate_team_member_count_cache(str(team.id)) 

229 

230 # Invalidate auth cache for creator's team membership 

231 # Without this, the cache won't know the user belongs to this new team 

232 try: 

233 await auth_cache.invalidate_user_teams(created_by) 

234 await auth_cache.invalidate_team_membership(created_by) 

235 await auth_cache.invalidate_user_role(created_by, str(team.id)) 

236 await admin_stats_cache.invalidate_teams() 

237 except Exception as cache_error: 

238 logger.debug(f"Failed to invalidate cache on team create: {cache_error}") 

239 

240 logger.info(f"Created team '{team.name}' by {created_by}") 

241 return team 

242 

243 except Exception as e: 

244 self.db.rollback() 

245 logger.error(f"Failed to create team '{name}': {e}") 

246 raise 

247 

248 async def get_team_by_id(self, team_id: str) -> Optional[EmailTeam]: 

249 """Get a team by ID. 

250 

251 Args: 

252 team_id: Team ID to lookup 

253 

254 Returns: 

255 EmailTeam: The team or None if not found 

256 

257 Examples: 

258 >>> import asyncio 

259 >>> from unittest.mock import Mock 

260 >>> service = TeamManagementService(Mock()) 

261 >>> asyncio.iscoroutinefunction(service.get_team_by_id) 

262 True 

263 """ 

264 try: 

265 team = self.db.query(EmailTeam).filter(EmailTeam.id == team_id, EmailTeam.is_active.is_(True)).first() 

266 self.db.commit() # Release transaction to avoid idle-in-transaction 

267 return team 

268 

269 except Exception as e: 

270 self.db.rollback() 

271 logger.error(f"Failed to get team by ID {team_id}: {e}") 

272 return None 

273 

274 async def get_team_by_slug(self, slug: str) -> Optional[EmailTeam]: 

275 """Get a team by slug. 

276 

277 Args: 

278 slug: Team slug to lookup 

279 

280 Returns: 

281 EmailTeam: The team or None if not found 

282 

283 Examples: 

284 >>> import asyncio 

285 >>> from unittest.mock import Mock 

286 >>> service = TeamManagementService(Mock()) 

287 >>> asyncio.iscoroutinefunction(service.get_team_by_slug) 

288 True 

289 """ 

290 try: 

291 team = self.db.query(EmailTeam).filter(EmailTeam.slug == slug, EmailTeam.is_active.is_(True)).first() 

292 self.db.commit() # Release transaction to avoid idle-in-transaction 

293 return team 

294 

295 except Exception as e: 

296 self.db.rollback() 

297 logger.error(f"Failed to get team by slug {slug}: {e}") 

298 return None 

299 

300 async def update_team( 

301 self, team_id: str, name: Optional[str] = None, description: Optional[str] = None, visibility: Optional[str] = None, max_members: Optional[int] = None, updated_by: Optional[str] = None 

302 ) -> bool: 

303 """Update team information. 

304 

305 Args: 

306 team_id: ID of the team to update 

307 name: New team name 

308 description: New team description 

309 visibility: New visibility setting 

310 max_members: New maximum member limit 

311 updated_by: Email of user making the update 

312 

313 Returns: 

314 bool: True if update succeeded, False otherwise 

315 

316 Raises: 

317 ValueError: If visibility setting is invalid 

318 

319 Examples: 

320 >>> import asyncio 

321 >>> from unittest.mock import Mock 

322 >>> service = TeamManagementService(Mock()) 

323 >>> asyncio.iscoroutinefunction(service.update_team) 

324 True 

325 """ 

326 try: 

327 team = await self.get_team_by_id(team_id) 

328 if not team: 

329 logger.warning(f"Team {team_id} not found for update") 

330 return False 

331 

332 # Prevent updating personal teams 

333 if team.is_personal: 

334 logger.warning(f"Cannot update personal team {team_id}") 

335 return False 

336 

337 # Update fields if provided 

338 if name is not None: 

339 team.name = name 

340 # Slug will be updated by event listener if name changes 

341 

342 if description is not None: 

343 team.description = description 

344 

345 if visibility is not None: 

346 valid_visibilities = ["private", "public"] 

347 if visibility not in valid_visibilities: 

348 raise ValueError(f"Invalid visibility. Must be one of: {', '.join(valid_visibilities)}") 

349 team.visibility = visibility 

350 

351 if max_members is not None: 

352 team.max_members = max_members 

353 

354 team.updated_at = utc_now() 

355 self.db.commit() 

356 

357 logger.info(f"Updated team {team_id} by {updated_by}") 

358 return True 

359 

360 except ValueError: 

361 raise # Let ValueError propagate to caller for proper error handling 

362 except Exception as e: 

363 self.db.rollback() 

364 logger.error(f"Failed to update team {team_id}: {e}") 

365 return False 

366 

367 async def delete_team(self, team_id: str, deleted_by: str) -> bool: 

368 """Delete a team (soft delete). 

369 

370 Args: 

371 team_id: ID of the team to delete 

372 deleted_by: Email of user performing deletion 

373 

374 Returns: 

375 bool: True if deletion succeeded, False otherwise 

376 

377 Raises: 

378 ValueError: If attempting to delete a personal team 

379 

380 Examples: 

381 >>> import asyncio 

382 >>> from unittest.mock import Mock 

383 >>> service = TeamManagementService(Mock()) 

384 >>> asyncio.iscoroutinefunction(service.delete_team) 

385 True 

386 """ 

387 try: 

388 team = await self.get_team_by_id(team_id) 

389 if not team: 

390 logger.warning(f"Team {team_id} not found for deletion") 

391 return False 

392 

393 # Prevent deleting personal teams 

394 if team.is_personal: 

395 logger.warning(f"Cannot delete personal team {team_id}") 

396 raise ValueError("Personal teams cannot be deleted") 

397 

398 # Soft delete the team 

399 team.is_active = False 

400 team.updated_at = utc_now() 

401 

402 # Get all active memberships before deactivating (for history logging) 

403 memberships = self.db.query(EmailTeamMember).filter(EmailTeamMember.team_id == team_id, EmailTeamMember.is_active.is_(True)).all() 

404 

405 # Log history for each membership (before bulk update) 

406 for membership in memberships: 

407 self._log_team_member_action(membership.id, team_id, membership.user_email, membership.role, "team-deleted", deleted_by) 

408 

409 # Bulk update: deactivate all memberships in single query instead of looping 

410 self.db.query(EmailTeamMember).filter(EmailTeamMember.team_id == team_id, EmailTeamMember.is_active.is_(True)).update({EmailTeamMember.is_active: False}, synchronize_session=False) 

411 

412 self.db.commit() 

413 

414 # Invalidate all role caches for this team 

415 try: 

416 asyncio.create_task(auth_cache.invalidate_team_roles(team_id)) 

417 asyncio.create_task(admin_stats_cache.invalidate_teams()) 

418 # Also invalidate team cache, teams list cache, and team membership cache for each member 

419 for membership in memberships: 

420 asyncio.create_task(auth_cache.invalidate_team(membership.user_email)) 

421 asyncio.create_task(auth_cache.invalidate_user_teams(membership.user_email)) 

422 asyncio.create_task(auth_cache.invalidate_team_membership(membership.user_email)) 

423 except Exception as cache_error: 

424 logger.debug(f"Failed to invalidate caches on team delete: {cache_error}") 

425 

426 logger.info(f"Deleted team {team_id} by {deleted_by}") 

427 return True 

428 

429 except Exception as e: 

430 self.db.rollback() 

431 logger.error(f"Failed to delete team {team_id}: {e}") 

432 return False 

433 

434 async def add_member_to_team(self, team_id: str, user_email: str, role: str = "member", invited_by: Optional[str] = None) -> bool: 

435 """Add a member to a team. 

436 

437 Args: 

438 team_id: ID of the team 

439 user_email: Email of the user to add 

440 role: Role to assign (owner, member) 

441 invited_by: Email of user who added this member 

442 

443 Returns: 

444 bool: True if member was added successfully, False otherwise 

445 

446 Raises: 

447 ValueError: If role is invalid or team member limit exceeded 

448 

449 Examples: 

450 >>> import asyncio 

451 >>> from unittest.mock import Mock 

452 >>> service = TeamManagementService(Mock()) 

453 >>> asyncio.iscoroutinefunction(service.add_member_to_team) 

454 True 

455 >>> # After adding, EmailTeamMemberHistory is updated 

456 >>> # service._log_team_member_action("tm-123", "team-123", "user@example.com", "member", "added", "admin@example.com") 

457 """ 

458 try: 

459 # Validate role 

460 valid_roles = ["owner", "member"] 

461 if role not in valid_roles: 

462 raise ValueError(f"Invalid role. Must be one of: {', '.join(valid_roles)}") 

463 

464 # Check if team exists 

465 team = await self.get_team_by_id(team_id) 

466 if not team: 

467 logger.warning(f"Team {team_id} not found") 

468 return False 

469 

470 # Check if user exists 

471 user = self.db.query(EmailUser).filter(EmailUser.email == user_email).first() 

472 if not user: 

473 logger.warning(f"User {user_email} not found") 

474 return False 

475 

476 # Check if user is already a member 

477 existing_membership = self.db.query(EmailTeamMember).filter(EmailTeamMember.team_id == team_id, EmailTeamMember.user_email == user_email).first() 

478 

479 if existing_membership and existing_membership.is_active: 

480 logger.warning(f"User {user_email} is already a member of team {team_id}") 

481 return False 

482 

483 # Check team member limit 

484 if team.max_members: 

485 current_member_count = self.db.query(EmailTeamMember).filter(EmailTeamMember.team_id == team_id, EmailTeamMember.is_active.is_(True)).count() 

486 

487 if current_member_count >= team.max_members: 

488 logger.warning(f"Team {team_id} has reached maximum member limit") 

489 raise ValueError(f"Team has reached maximum member limit of {team.max_members}") 

490 

491 # Add or reactivate membership 

492 if existing_membership: 

493 existing_membership.is_active = True 

494 existing_membership.role = role 

495 existing_membership.joined_at = utc_now() 

496 existing_membership.invited_by = invited_by 

497 self.db.commit() 

498 self._log_team_member_action(existing_membership.id, team_id, user_email, role, "reactivated", invited_by) 

499 else: 

500 membership = EmailTeamMember(team_id=team_id, user_email=user_email, role=role, joined_at=utc_now(), invited_by=invited_by, is_active=True) 

501 self.db.add(membership) 

502 self.db.commit() 

503 self._log_team_member_action(membership.id, team_id, user_email, role, "added", invited_by) 

504 

505 # Invalidate auth cache for user's team membership and role 

506 try: 

507 asyncio.create_task(auth_cache.invalidate_team(user_email)) 

508 asyncio.create_task(auth_cache.invalidate_user_role(user_email, team_id)) 

509 asyncio.create_task(auth_cache.invalidate_user_teams(user_email)) 

510 asyncio.create_task(auth_cache.invalidate_team_membership(user_email)) 

511 asyncio.create_task(admin_stats_cache.invalidate_teams()) 

512 except Exception as cache_error: 

513 logger.debug(f"Failed to invalidate cache on team add: {cache_error}") 

514 

515 # Invalidate member count cache for this team 

516 await self.invalidate_team_member_count_cache(str(team_id)) 

517 

518 logger.info(f"Added {user_email} to team {team_id} with role {role}") 

519 return True 

520 

521 except Exception as e: 

522 self.db.rollback() 

523 logger.error(f"Failed to add {user_email} to team {team_id}: {e}") 

524 return False 

525 

526 async def remove_member_from_team(self, team_id: str, user_email: str, removed_by: Optional[str] = None) -> bool: 

527 """Remove a member from a team. 

528 

529 Args: 

530 team_id: ID of the team 

531 user_email: Email of the user to remove 

532 removed_by: Email of user performing the removal 

533 

534 Returns: 

535 bool: True if member was removed successfully, False otherwise 

536 

537 Raises: 

538 ValueError: If attempting to remove the last owner 

539 

540 Examples: 

541 Team membership management with role-based access control. 

542 After removal, EmailTeamMemberHistory is updated via _log_team_member_action. 

543 """ 

544 try: 

545 team = await self.get_team_by_id(team_id) 

546 if not team: 

547 logger.warning(f"Team {team_id} not found") 

548 return False 

549 

550 # Prevent removing members from personal teams 

551 if team.is_personal: 

552 logger.warning(f"Cannot remove members from personal team {team_id}") 

553 return False 

554 

555 # Find the membership 

556 membership = self.db.query(EmailTeamMember).filter(EmailTeamMember.team_id == team_id, EmailTeamMember.user_email == user_email, EmailTeamMember.is_active.is_(True)).first() 

557 

558 if not membership: 

559 logger.warning(f"User {user_email} is not a member of team {team_id}") 

560 return False 

561 

562 # Prevent removing the last owner 

563 if membership.role == "owner": 

564 owner_count = self.db.query(EmailTeamMember).filter(EmailTeamMember.team_id == team_id, EmailTeamMember.role == "owner", EmailTeamMember.is_active.is_(True)).count() 

565 

566 if owner_count <= 1: 

567 logger.warning(f"Cannot remove the last owner from team {team_id}") 

568 raise ValueError("Cannot remove the last owner from a team") 

569 

570 # Remove membership (soft delete) 

571 membership.is_active = False 

572 self.db.commit() 

573 self._log_team_member_action(membership.id, team_id, user_email, membership.role, "removed", removed_by) 

574 

575 # Invalidate auth cache for user's team membership and role 

576 try: 

577 asyncio.create_task(auth_cache.invalidate_team(user_email)) 

578 asyncio.create_task(auth_cache.invalidate_user_role(user_email, team_id)) 

579 asyncio.create_task(auth_cache.invalidate_user_teams(user_email)) 

580 asyncio.create_task(auth_cache.invalidate_team_membership(user_email)) 

581 except Exception as cache_error: 

582 logger.debug(f"Failed to invalidate cache on team remove: {cache_error}") 

583 

584 # Invalidate member count cache for this team 

585 await self.invalidate_team_member_count_cache(str(team_id)) 

586 

587 logger.info(f"Removed {user_email} from team {team_id} by {removed_by}") 

588 return True 

589 

590 except Exception as e: 

591 self.db.rollback() 

592 logger.error(f"Failed to remove {user_email} from team {team_id}: {e}") 

593 return False 

594 

595 async def update_member_role(self, team_id: str, user_email: str, new_role: str, updated_by: Optional[str] = None) -> bool: 

596 """Update a team member's role. 

597 

598 Args: 

599 team_id: ID of the team 

600 user_email: Email of the user whose role to update 

601 new_role: New role to assign 

602 updated_by: Email of user making the change 

603 

604 Returns: 

605 bool: True if role was updated successfully, False otherwise 

606 

607 Raises: 

608 ValueError: If role is invalid or removing last owner role 

609 

610 Examples: 

611 Role management within teams for access control. 

612 After role update, EmailTeamMemberHistory is updated via _log_team_member_action. 

613 """ 

614 try: 

615 # Validate role 

616 valid_roles = ["owner", "member"] 

617 if new_role not in valid_roles: 

618 raise ValueError(f"Invalid role. Must be one of: {', '.join(valid_roles)}") 

619 

620 team = await self.get_team_by_id(team_id) 

621 if not team: 

622 logger.warning(f"Team {team_id} not found") 

623 return False 

624 

625 # Prevent updating roles in personal teams 

626 if team.is_personal: 

627 logger.warning(f"Cannot update roles in personal team {team_id}") 

628 return False 

629 

630 # Find the membership 

631 membership = self.db.query(EmailTeamMember).filter(EmailTeamMember.team_id == team_id, EmailTeamMember.user_email == user_email, EmailTeamMember.is_active.is_(True)).first() 

632 

633 if not membership: 

634 logger.warning(f"User {user_email} is not a member of team {team_id}") 

635 return False 

636 

637 # Prevent changing the role of the last owner to non-owner 

638 if membership.role == "owner" and new_role != "owner": 

639 owner_count = self.db.query(EmailTeamMember).filter(EmailTeamMember.team_id == team_id, EmailTeamMember.role == "owner", EmailTeamMember.is_active.is_(True)).count() 

640 

641 if owner_count <= 1: 

642 logger.warning(f"Cannot remove owner role from the last owner of team {team_id}") 

643 raise ValueError("Cannot remove owner role from the last owner of a team") 

644 

645 # Update the role 

646 membership.role = new_role 

647 self.db.commit() 

648 self._log_team_member_action(membership.id, team_id, user_email, new_role, "role_changed", updated_by) 

649 

650 # Invalidate role cache 

651 try: 

652 asyncio.create_task(auth_cache.invalidate_user_role(user_email, team_id)) 

653 except Exception as cache_error: 

654 logger.debug(f"Failed to invalidate cache on role update: {cache_error}") 

655 

656 logger.info(f"Updated role of {user_email} in team {team_id} to {new_role} by {updated_by}") 

657 return True 

658 

659 except ValueError: 

660 raise # Let ValueError propagate to caller for proper error handling 

661 except Exception as e: 

662 self.db.rollback() 

663 logger.error(f"Failed to update role of {user_email} in team {team_id}: {e}") 

664 return False 

665 

666 async def get_member(self, team_id: str, user_email: str) -> Optional[EmailTeamMember]: 

667 """Get a single team member by team ID and user email. 

668 

669 Args: 

670 team_id: ID of the team 

671 user_email: Email of the user 

672 

673 Returns: 

674 EmailTeamMember if found and active, None otherwise 

675 """ 

676 try: 

677 return self.db.query(EmailTeamMember).filter(EmailTeamMember.team_id == team_id, EmailTeamMember.user_email == user_email, EmailTeamMember.is_active.is_(True)).first() 

678 except Exception as e: 

679 logger.error(f"Failed to get member {user_email} in team {team_id}: {e}") 

680 return None 

681 

682 async def get_user_teams(self, user_email: str, include_personal: bool = True) -> List[EmailTeam]: 

683 """Get all teams a user belongs to. 

684 

685 Uses caching to reduce database queries (called 20+ times per request). 

686 Cache can be disabled via AUTH_CACHE_TEAMS_ENABLED=false. 

687 

688 Args: 

689 user_email: Email of the user 

690 include_personal: Whether to include personal teams 

691 

692 Returns: 

693 List[EmailTeam]: List of teams the user belongs to 

694 

695 Examples: 

696 User dashboard showing team memberships. 

697 """ 

698 # Check cache first 

699 cache = self._get_auth_cache() 

700 cache_key = f"{user_email}:{include_personal}" 

701 

702 if cache: 

703 cached_team_ids = await cache.get_user_teams(cache_key) 

704 if cached_team_ids is not None: 

705 if not cached_team_ids: # Empty list = user has no teams 

706 return [] 

707 # Fetch full team objects by IDs (fast indexed lookup) 

708 try: 

709 teams = self.db.query(EmailTeam).filter(EmailTeam.id.in_(cached_team_ids), EmailTeam.is_active.is_(True)).all() 

710 self.db.commit() # Release transaction to avoid idle-in-transaction 

711 return teams 

712 except Exception as e: 

713 self.db.rollback() 

714 logger.warning(f"Failed to fetch teams by IDs from cache: {e}") 

715 # Fall through to full query 

716 

717 # Cache miss or caching disabled - do full query 

718 try: 

719 query = self.db.query(EmailTeam).join(EmailTeamMember).filter(EmailTeamMember.user_email == user_email, EmailTeamMember.is_active.is_(True), EmailTeam.is_active.is_(True)) 

720 

721 if not include_personal: 

722 query = query.filter(EmailTeam.is_personal.is_(False)) 

723 

724 teams = query.all() 

725 self.db.commit() # Release transaction to avoid idle-in-transaction 

726 

727 # Update cache with team IDs 

728 if cache: 

729 team_ids = [t.id for t in teams] 

730 await cache.set_user_teams(cache_key, team_ids) 

731 

732 return teams 

733 

734 except Exception as e: 

735 self.db.rollback() 

736 logger.error(f"Failed to get teams for user {user_email}: {e}") 

737 return [] 

738 

739 async def verify_team_for_user(self, user_email, team_id=None): 

740 """ 

741 Retrieve a team ID for a user based on their membership and optionally a specific team ID. 

742 

743 This function attempts to fetch all teams associated with the given user email. 

744 If no `team_id` is provided, it returns the ID of the user's personal team (if any). 

745 If a `team_id` is provided, it checks whether the user is a member of that team. 

746 If the user is not a member of the specified team, it returns a JSONResponse with an error message. 

747 

748 Args: 

749 user_email (str): The email of the user whose teams are being queried. 

750 team_id (str or None, optional): Specific team ID to check for membership. Defaults to None. 

751 

752 Returns: 

753 str or JSONResponse or None: 

754 - If `team_id` is None, returns the ID of the user's personal team or None if not found. 

755 - If `team_id` is provided and the user is a member of that team, returns `team_id`. 

756 - If `team_id` is provided but the user is not a member of that team, returns a JSONResponse with error. 

757 - Returns None if an error occurs and no `team_id` was initially provided. 

758 

759 Raises: 

760 None explicitly, but any exceptions during the process are caught and logged. 

761 

762 Examples: 

763 Verifies user team if team_id provided otherwise finds its personal id. 

764 """ 

765 try: 

766 # Get all teams the user belongs to in a single query 

767 try: 

768 query = self.db.query(EmailTeam).join(EmailTeamMember).filter(EmailTeamMember.user_email == user_email, EmailTeamMember.is_active.is_(True), EmailTeam.is_active.is_(True)) 

769 user_teams = query.all() 

770 self.db.commit() # Release transaction to avoid idle-in-transaction 

771 except Exception as e: 

772 self.db.rollback() 

773 logger.error(f"Failed to get teams for user {user_email}: {e}") 

774 return [] 

775 

776 if not team_id: 

777 # If no team_id is provided, try to get the personal team 

778 personal_team = next((t for t in user_teams if getattr(t, "is_personal", False)), None) 

779 team_id = personal_team.id if personal_team else None 

780 else: 

781 # Check if the provided team_id exists among the user's teams 

782 is_team_present = any(team.id == team_id for team in user_teams) 

783 if not is_team_present: 

784 return [] 

785 except Exception as e: 

786 self.db.rollback() 

787 print(f"An error occurred: {e}") 

788 if not team_id: 

789 team_id = None 

790 

791 return team_id 

792 

793 async def get_team_members( 

794 self, 

795 team_id: str, 

796 cursor: Optional[str] = None, 

797 limit: Optional[int] = None, 

798 page: Optional[int] = None, 

799 per_page: Optional[int] = None, 

800 ) -> Union[List[Tuple[EmailUser, EmailTeamMember]], Tuple[List[Tuple[EmailUser, EmailTeamMember]], Optional[str]], Dict[str, Any]]: 

801 """Get all members of a team with optional cursor or page-based pagination. 

802 

803 Note: This method returns ORM objects and cannot be cached since callers 

804 depend on ORM attributes and methods. 

805 

806 Args: 

807 team_id: ID of the team 

808 cursor: Opaque cursor token for cursor-based pagination 

809 limit: Maximum number of members to return (for cursor-based, default: 50) 

810 page: Page number for page-based pagination (1-indexed). Mutually exclusive with cursor. 

811 per_page: Items per page for page-based pagination (default: 30) 

812 

813 Returns: 

814 - If cursor is provided: Tuple (members, next_cursor) 

815 - If page is provided: Dict with keys 'data', 'pagination', 'links' 

816 - If neither: List of all members (backward compatibility) 

817 

818 Examples: 

819 Team member management and role display. 

820 """ 

821 try: 

822 # Build base query - for pagination, select EmailTeamMember and eager-load user 

823 # For backward compat (no pagination), select both entities as tuple 

824 if cursor is None and page is None and limit is None: 

825 # Backward compatibility: return tuples (no pagination requested) 

826 query = ( 

827 select(EmailUser, EmailTeamMember) 

828 .join(EmailTeamMember, EmailUser.email == EmailTeamMember.user_email) 

829 .where(EmailTeamMember.team_id == team_id, EmailTeamMember.is_active.is_(True)) 

830 .order_by(EmailUser.full_name, EmailUser.email) 

831 ) 

832 result = self.db.execute(query) 

833 members = list(result.all()) 

834 self.db.commit() 

835 return members 

836 

837 # For pagination: select EmailTeamMember and eager-load user to avoid N+1 

838 query = ( 

839 select(EmailTeamMember) 

840 .options(selectinload(EmailTeamMember.user)) 

841 .where(EmailTeamMember.team_id == team_id, EmailTeamMember.is_active.is_(True)) 

842 .join(EmailUser, EmailUser.email == EmailTeamMember.user_email) 

843 ) 

844 

845 # PAGE-BASED PAGINATION (Admin UI) - use unified_paginate 

846 if page is not None: 

847 # Alphabetical ordering for user-friendly display