From 04a433ede197abcfb365bd9ea1755f63ee8aa719 Mon Sep 17 00:00:00 2001
From: joyway1978 <184585080+joyway1978@users.noreply.github.com>
Date: Wed, 1 Apr 2026 11:48:13 +0800
Subject: [PATCH] fix(backend): correct attachment access check for group chat
 members

Fixed attachment access permission check in _ensure_attachment_access() and
get_all_task_attachments() endpoints:

1. Changed MemberStatus.APPROVED to MemberStatus.APPROVED.value to ensure
   proper string comparison in SQLAlchemy queries. The status column stores
   string values, but the code was comparing against the Enum object directly,
   which could cause query mismatches.

2. Added ResourceMember.copied_resource_id == 0 condition to exclude share
   records and only consider actual group chat members. This aligns with the
   logic in TaskMemberService.is_member() which also excludes share records.

This fixes the issue where some group chat members could not access attachments
while others could, depending on how their membership status was stored.
---
 backend/app/api/endpoints/adapter/attachments.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/backend/app/api/endpoints/adapter/attachments.py b/backend/app/api/endpoints/adapter/attachments.py
index c992064a7..fef815552 100644
--- a/backend/app/api/endpoints/adapter/attachments.py
+++ b/backend/app/api/endpoints/adapter/attachments.py
@@ -92,13 +92,15 @@ def _ensure_attachment_access(db: Session, context, current_user: User) -> None:
                 has_access = True
             else:
                 # Check if user is a task member using ResourceMember
+                # Exclude share records (copied_resource_id > 0), only consider actual group chat members
                 task_member = (
                     db.query(ResourceMember)
                     .filter(
                         ResourceMember.resource_type == ResourceType.TASK,
                         ResourceMember.resource_id == subtask.task_id,
                         ResourceMember.user_id == current_user.id,
-                        ResourceMember.status == MemberStatus.APPROVED,
+                        ResourceMember.status == MemberStatus.APPROVED.value,
+                        ResourceMember.copied_resource_id == 0,
                     )
                     .first()
                 )
@@ -681,13 +683,15 @@ async def get_all_task_attachments(
     from app.models.share_link import ResourceType
 
     is_owner = task.user_id == current_user.id
+    # Exclude share records (copied_resource_id > 0), only consider actual group chat members
     is_member = (
         db.query(ResourceMember)
         .filter(
             ResourceMember.resource_type == ResourceType.TASK,
             ResourceMember.resource_id == task_id,
             ResourceMember.user_id == current_user.id,
-            ResourceMember.status == MemberStatus.APPROVED,
+            ResourceMember.status == MemberStatus.APPROVED.value,
+            ResourceMember.copied_resource_id == 0,
         )
         .first()
         is not None