fixed #2.

application/forms/application_form.py

@@ -1,4 +1,5 @@
 from wtforms import Form, StringField, BooleanField, validators
+from application.forms import ArrayField
 
 
 class ApplicationForm(Form):
@@ -15,3 +16,5 @@ class ApplicationForm(Form):
     app_key = BooleanField(
         default=False
     )
+    member_ids = ArrayField()
+    root_ids = ArrayField()

application/frontend/coffeescript/controllers/settings.coffee

@@ -61,9 +61,18 @@ angular.module 'v.controllers.settings', []
     $v = $injector.get '$v'
     $validator = $injector.get '$validator'
     $state = $injector.get '$state'
+    $timeout = $injector.get '$timeout'
 
     $scope.mode = 'edit'
     $scope.application = application
+    for member in application.members
+        member.isRoot = member.id in application.root_ids
+    $scope.$watch 'application.members', ->
+        root_ids = []
+        for member in $scope.application.members when member.isRoot
+            root_ids.push member.id
+        $scope.application.root_ids = root_ids
+    , yes
     $scope.modal =
         autoShow: yes
         hide: ->
@@ -76,8 +85,34 @@ angular.module 'v.controllers.settings', []
                 id: $scope.application.id
                 title: $scope.application.title
                 description: $scope.application.description
+                member_ids: $scope.application.member_ids
+                root_ids: $scope.application.root_ids
             $v.api.application.updateApplication(data).success ->
                 $scope.modal.hide()
+    $scope.memberService =
+        email: ''
+        invite: ($event) ->
+            $event.preventDefault()
+            $validator.validate($scope, 'memberService').success ->
+                NProgress.start()
+                $v.api.application.addApplicationMember($scope.application.id, $scope.memberService.email).success (member) ->
+                    NProgress.done()
+                    $scope.application.member_ids.push member.id
+                    $scope.application.members.push member
+                    $scope.memberService.email = ''
+                    $timeout -> $validator.reset $scope, 'memberService'
+        removeMember: ($event, memberId) ->
+            $event.preventDefault()
+            for index in [0...$scope.application.members.length] when $scope.application.members[index].id is memberId
+                $scope.application.members.splice index, 1
+                break
+            for index in [0...$scope.application.member_ids.length] when $scope.application.member_ids[index] is memberId
+                $scope.application.member_ids.splice index, 1
+                break
+            for index in [0...$scope.application.root_ids.length] when $scope.application.root_ids[index] is memberId
+                $scope.application.root_ids.splice index, 1
+                break
+            return
     $scope.updateAppKey = ->
         NProgress.start()
         data =

application/frontend/coffeescript/provider.coffee

@@ -106,6 +106,12 @@ angular.module 'v.provider', []
                     params:
                         index: index
                         all: all
+            addApplicationMember: (applicationId, email) =>
+                @http
+                    method: 'post'
+                    url: "/settings/applications/#{applicationId}/members"
+                    data:
+                        email: email
             addApplication: (application) =>
                 ###
                 @param application:

application/frontend/views/modal/application.html

@@ -28,6 +28,41 @@ <h4 ng-if="mode=='edit'" class="modal-title">Update an application</h4>
                         <p class="form-control-static">{{ application.app_key }}</p>
                     </div>
                 </div>
+                <div ng-show="mode=='edit'" class="form-group">
+                    <label class="col-sm-2 control-label">Members</label>
+                    <div class="col-sm-10">
+                        <table class="table table-condensed table-hover">
+                            <tbody>
+                            <tr ng-repeat="member in application.members">
+                                <td>{{ member.name }} &lt;{{ member.email }}&gt;</td>
+                                <td width="60px;">
+                                    <label class="checkbox-inline" style="padding-top: 0;">
+                                        <input ng-model="member.isRoot"
+                                               ng-disabled="member.isRoot && application.root_ids.length==1"
+                                               type="checkbox"/>
+                                        root
+                                    </label>
+                                </td>
+                                <td width="36px;">
+                                    <a ng-click="memberService.removeMember($event, member.id)"
+                                       ng-hide="(member.isRoot && application.root_ids.length==1) || application.member_ids.length == 1"
+                                       href="/settings/applications/{{ application.id }}/members/{{ member.id }}" class="btn btn-danger btn-xs"><i class="fa fa-times"></i></a>
+                                </td>
+                            </tr>
+                            </tbody>
+                        </table>
+
+                        <div class="input-group col-sm-6 form-group" style="padding-left: 15px;">
+                            <input ng-model="memberService.email"
+                                   validator='/^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/'
+                                   v-enter="memberService.invite($event)"
+                                   type="text" class="form-control input-sm" placeholder="email@gmail.com"/>
+                            <span class="input-group-btn">
+                                <button ng-click="memberService.invite($event)" class="btn btn-default btn-sm" type="button"><i class="fa fa-plus fa-fw"></i> Invite</button>
+                            </span>
+                        </div>
+                    </div>
+                </div>
             </div>
             <div class="modal-footer">
                 <button ng-click="submit()"

application/urls.py

@@ -56,6 +56,10 @@
         PUT=update_application,
         DELETE=delete_application,
     )),
+    # /settings/applications/<application_id>/members
+    url(r'^settings/applications/(?P<application_id>[0-9]{1,32})/members$', api_dispatch(
+        POST=add_application_member,
+    )),
     # /settings/users
     url(r'^settings/users$', api_dispatch(
         GET=get_users,

application/views/applications.py

@@ -6,8 +6,9 @@
 from application.decorators import authorization
 from application.forms.search_form import SearchForm
 from application.forms.application_form import ApplicationForm
+from application.forms.user_form import UserForm
 from application.models.dto.page_list import PageList
-from application.models.datastore.user_model import UserPermission
+from application.models.datastore.user_model import UserModel, UserPermission
 from application.models.datastore.application_model import ApplicationModel
 
 
@@ -33,7 +34,28 @@ def get_application(request, application_id):
     application = ApplicationModel.get_by_id(long(application_id))
     if application is None:
         raise Http404
-    return JsonResponse(application)
+    if request.user.permission != UserPermission.root and\
+                    request.user.key().id() not in application.member_ids:
+        raise Http403
+    result = application.dict()
+    result['members'] = [x.dict() for x in UserModel.get_by_id(application.member_ids)]
+    return JsonResponse(result)
+
+@authorization(UserPermission.root, UserPermission.normal)
+def add_application_member(request, application_id):
+    form = UserForm(name='invite', **json.loads(request.body))
+    if not form.validate():
+        raise Http400
+    application = ApplicationModel.get_by_id(long(application_id))
+    if application is None:
+        raise Http404
+    if request.user.permission != UserPermission.root and\
+                    request.user.key().id() not in application.root_ids:
+        raise Http403
+    user = UserModel.invite_user(request, form.email.data)
+    application.member_ids.append(user.key().id())
+    application.save()
+    return JsonResponse(user)
 
 @authorization(UserPermission.root, UserPermission.normal)
 def add_application(request):
@@ -61,13 +83,16 @@ def update_application(request, application_id):
     application = ApplicationModel.get_by_id(long(application_id))
     if application is None:
         raise Http404
-    if request.user.key().id() not in application.root_ids:
+    if request.user.permission != UserPermission.root and\
+                    request.user.key().id() not in application.root_ids:
         raise Http403
     if form.app_key.data:
         application.app_key = str(uuid.uuid1())
     else:
         application.title = form.title.data
         application.description = form.description.data
+        application.member_ids = form.member_ids.data
+        application.root_ids = form.root_ids.data
     application.put()
     return JsonResponse(application)
 
@@ -76,7 +101,8 @@ def delete_application(request, application_id):
     application = ApplicationModel.get_by_id(long(application_id))
     if application is None:
         raise Http404
-    if request.user.key().id() not in application.root_ids:
+    if request.user.permission != UserPermission.root and\
+                    request.user.key().id() not in application.root_ids:
         raise Http403
     application.delete()
     return HttpResponse()