feat: add swimlane grouping by labels or assignees

Adds an optional swimlane view that groups cards into horizontal lanes
by label or assignee, with a "No label" / "Unassigned" catchall lane.
Cards with multiple labels appear in every matching lane with a
duplicate badge. The flat board stays the default.

Implementation:
- Swimlane mode and lane order are shared board settings (setAppValue),
  gated by PERMISSION_EDIT in ConfigController::setValue() following the
  pattern from #7990. ConfigService rejects non-numeric board ids on
  the shared path and shape-validates values (mode enum, JSON array of
  lane ids, max 1000 entries / 8KB) before storing.
- Lane collapse state is per-user in localStorage.
- New components: Swimlane.vue, SwimlaneHeader.vue. Stack.vue gained
  `header-only` / `hide-header` props so list headers render once in a
  sticky row above the lanes, sharing one horizontal scroll context.
- Lanes computed reactively from cards' labels/assignees; lane order is
  deterministic (saved order first, ID fallback). Store mutations are
  optimistic with rollback on dispatch failure.

Tests: PHPUnit ConfigServiceTest covers all three config keys, board
id validation, value validation, and the per-user vs shared storage
split. Cypress swimlanesFeatures covers grouping modes, multi-label
cards, persistence across reload, and the editor-only restriction
(API 403 + disabled UI controls).

Closes #32

Signed-off-by: Pavlinchen <69079839+Pavlinchen@users.noreply.github.com>

Author: Pavlinchen

appinfo/info.xml

@@ -42,7 +42,7 @@
         <database min-version="9.4">pgsql</database>
         <database>sqlite</database>
         <database min-version="8.0">mysql</database>
-        <nextcloud min-version="35" max-version="35"/>
+        <nextcloud min-version="34" max-version="35"/>
     </dependencies>
     <background-jobs>
         <job>OCA\Deck\Cron\DeleteCron</job>

cypress/e2e/swimlanesFeatures.js

@@ -0,0 +1,243 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+import { randUser } from '../utils/index.js'
+
+const user = randUser()
+
+/**
+ * Builds a board with three stacks, three labels, two cards \u2014 one card
+ * has two labels so it should render in two lanes when grouped by labels.
+ */
+function seedSwimlaneBoard() {
+	const auth = { user: user.userId, password: user.password }
+	const baseUrl = Cypress.env('baseUrl')
+	const api = `${baseUrl}/index.php/apps/deck/api/v1.0`
+
+	return cy.request({
+		method: 'POST',
+		url: `${api}/boards`,
+		auth,
+		body: { title: 'Swimlanes', color: '00ff00' },
+	}).then(({ body: board }) => {
+		const boardId = board.id
+
+		const stackReq = (title) => cy.request({
+			method: 'POST',
+			url: `${api}/boards/${boardId}/stacks`,
+			auth,
+			body: { title, order: 0 },
+		})
+		const labelReq = (title, color) => cy.request({
+			method: 'POST',
+			url: `${api}/boards/${boardId}/labels`,
+			auth,
+			body: { title, color },
+		}).then(({ body }) => body)
+
+		// Cypress chainables are not promises, so the requests are chained
+		// sequentially instead of via Promise.all
+		const ids = {}
+		return stackReq('Todo').then(({ body }) => {
+			ids.todo = body.id
+		}).then(() => stackReq('Doing'))
+			.then(() => stackReq('Done'))
+			.then(() => labelReq('Bug', 'ff0000'))
+			.then((label) => {
+				ids.bug = label.id
+			})
+			.then(() => labelReq('Feature', '00ff00'))
+			.then((label) => {
+				ids.feature = label.id
+			})
+			.then(() => labelReq('Backend', '0000ff'))
+			.then((label) => {
+				ids.backend = label.id
+			})
+			.then(() => {
+				const mk = (title) => cy.request({
+					method: 'POST',
+					url: `${api}/boards/${boardId}/stacks/${ids.todo}/cards`,
+					auth,
+					body: { title, description: '' },
+				}).then(({ body }) => body)
+				const assignLabel = (cardId, labelId) => cy.request({
+					method: 'PUT',
+					url: `${api}/boards/${boardId}/stacks/${ids.todo}/cards/${cardId}/assignLabel`,
+					auth,
+					body: { labelId },
+				})
+				return mk('Fix login bug').then((card) =>
+					// two labels on this card
+					assignLabel(card.id, ids.bug).then(() => assignLabel(card.id, ids.backend)),
+				).then(() =>
+					mk('Ship feature').then((card) => assignLabel(card.id, ids.feature)),
+				).then(() => mk('Unlabeled work'))
+					.then(() => cy.wrap({ boardId }))
+			})
+	})
+}
+
+const viewer = randUser()
+
+describe('Swimlane grouping — editor-only restriction', function() {
+	const owner = randUser()
+	let restrictedBoardId
+
+	before(function() {
+		cy.createUser(owner)
+		cy.createUser(viewer)
+		const ownerAuth = { user: owner.userId, password: owner.password }
+		const base = `${Cypress.env('baseUrl')}/index.php/apps/deck/api/v1.0`
+		cy.request({
+			method: 'POST',
+			url: `${base}/boards`,
+			auth: ownerAuth,
+			body: { title: 'Restricted board', color: '0000ff' },
+		}).then(({ body }) => {
+			restrictedBoardId = body.id
+			// Share via API with all permission flags explicitly false; the
+			// share dialog grants edit by default, which would invalidate this
+			// "read-only" suite. PERMISSION_TYPE_USER = 0.
+			cy.request({
+				method: 'POST',
+				url: `${base}/boards/${restrictedBoardId}/acl`,
+				auth: ownerAuth,
+				body: {
+					type: 0,
+					participant: viewer.userId,
+					permissionEdit: false,
+					permissionShare: false,
+					permissionManage: false,
+				},
+			})
+		})
+	})
+
+	it('read-only user cannot set swimlaneMode via the API (403)', function() {
+		// Clear cookies so the basic-auth credentials below aren't silently
+		// overridden by a logged-in session left over from cy.createUser /
+		// cy.shareBoardWithUi (which authenticate as admin and would make
+		// the request succeed as admin, masking the permission check).
+		cy.clearCookies()
+		cy.request({
+			method: 'POST',
+			failOnStatusCode: false,
+			url: `${Cypress.env('baseUrl')}/ocs/v2.php/apps/deck/api/v1.0/config/board:${restrictedBoardId}:swimlaneMode?format=json`,
+			auth: { user: viewer.userId, password: viewer.password },
+			headers: { 'OCS-APIRequest': 'true' },
+			body: { value: 'labels' },
+		}).then((response) => {
+			expect(response.status).to.equal(403)
+		})
+	})
+
+	it('swimlane grouping controls are disabled in the UI for a read-only user', function() {
+		cy.login(viewer)
+		cy.visit(`/apps/deck/board/${restrictedBoardId}`)
+		cy.get('button[aria-label="View Modes"]', { timeout: 10000 }).first().click()
+		cy.get('input[name="swimlaneMode"]').each(($input) => {
+			cy.wrap($input).should('be.disabled')
+		})
+	})
+})
+
+describe('Swimlane grouping', function() {
+	let boardId
+
+	before(function() {
+		cy.createUser(user)
+		cy.login(user)
+		seedSwimlaneBoard().then((ctx) => { boardId = ctx.boardId })
+	})
+
+	beforeEach(function() {
+		// Reset the board to flat view before each test so the tests are
+		// independent (done here rather than in afterEach so that a config
+		// request still in flight when the previous test ends cannot undo it)
+		cy.request({
+			method: 'POST',
+			url: `${Cypress.env('baseUrl')}/ocs/v2.php/apps/deck/api/v1.0/config/board:${boardId}:swimlaneMode?format=json`,
+			auth: { user: user.userId, password: user.password },
+			body: { value: 'none' },
+		})
+		cy.login(user)
+		cy.visit(`/apps/deck/board/${boardId}`)
+		cy.get('.stack', { timeout: 10000 }).should('have.length', 3)
+	})
+
+	// Selects a grouping mode in the View Modes menu and waits for the
+	// config request to be persisted, so the next test cannot race it
+	const setModeViaMenu = (label) => {
+		cy.intercept('POST', '**/apps/deck/api/v1.0/config/**').as('saveSwimlaneMode')
+		cy.get('button[aria-label="View Modes"]').first().click()
+		// {force: true} is needed because the NcActions menu has a brief
+		// CSS visibility:hidden phase on the action-radio span while it
+		// animates open, which is what an end user would see as a normal
+		// click target
+		cy.contains('.action-radio__label', label).click({ force: true })
+		cy.wait('@saveSwimlaneMode')
+	}
+
+	it('flat view shows no swimlanes initially', function() {
+		cy.get('.swimlane').should('not.exist')
+		cy.get('.card').should('have.length.at.least', 3)
+	})
+
+	it('groups cards by labels', function() {
+		setModeViaMenu('Labels')
+
+		cy.get('.swimlane', { timeout: 8000 }).should('have.length.at.least', 4)
+		cy.get('.swimlane-header__title, .swimlane-header__label').should('contain.text', 'Bug')
+		cy.get('.swimlane-header__title, .swimlane-header__label').should('contain.text', 'Feature')
+		cy.get('.swimlane-header__title, .swimlane-header__label').should('contain.text', 'Backend')
+		cy.get('.swimlane-header__title, .swimlane-header__label').last().should('contain.text', 'No label')
+	})
+
+	it('renders a multi-label card in every matching lane', function() {
+		setModeViaMenu('Labels')
+		cy.get('.swimlane', { timeout: 8000 }).should('have.length.at.least', 4)
+
+		// "Fix login bug" has Bug + Backend labels \u2014 must appear in both lanes.
+		// Use cy.contains() to avoid embedding lane names into a CSS selector string.
+		const expectCardInLane = (laneName, cardTitle) => {
+			cy.contains('.swimlane-header', laneName)
+				.parents('.swimlane')
+				.find('.card')
+				.contains(cardTitle)
+				.should('exist')
+		}
+		expectCardInLane('Bug', 'Fix login bug')
+		expectCardInLane('Backend', 'Fix login bug')
+	})
+
+	it('groups cards by assignees with Unassigned catchall last', function() {
+		setModeViaMenu('Assignees')
+
+		cy.get('.swimlane', { timeout: 8000 }).should('have.length.at.least', 1)
+		cy.get('.swimlane-header__title').last().should('contain.text', 'Unassigned')
+	})
+
+	it('returns to flat view when No grouping is selected', function() {
+		setModeViaMenu('Labels')
+		cy.get('.swimlane', { timeout: 8000 }).should('exist')
+
+		setModeViaMenu('No grouping')
+
+		cy.get('.swimlane').should('not.exist')
+		cy.get('.stack').should('have.length', 3)
+	})
+
+	it('persists the grouping mode across reload', function() {
+		setModeViaMenu('Labels')
+		cy.get('.swimlane', { timeout: 8000 }).should('exist')
+
+		cy.reload()
+		cy.get('.swimlane', { timeout: 10000 }).should('have.length.at.least', 4)
+
+		// Radio reflects the persisted mode after reload
+		cy.get('button[aria-label="View Modes"]').first().click()
+		cy.get('input[name="swimlaneMode"][value="labels"]').should('be.checked')
+	})
+})

lib/Service/BoardService.php

@@ -341,9 +341,13 @@ private function applyPermissions(int $boardId, bool $edit, bool $share, bool $m
 
 	public function enrichWithBoardSettings(Board $board): void {
 		$globalCalendarConfig = (bool)$this->config->getUserValue($this->userId, Application::APP_ID, 'calendar', true);
+		$boardId = $board->getId();
 		$settings = [
-			'notify-due' => $this->config->getUserValue($this->userId, Application::APP_ID, 'board:' . $board->getId() . ':notify-due', ConfigService::SETTING_BOARD_NOTIFICATION_DUE_ASSIGNED),
-			'calendar' => $this->config->getUserValue($this->userId, Application::APP_ID, 'board:' . $board->getId() . ':calendar', $globalCalendarConfig),
+			'notify-due' => $this->config->getUserValue($this->userId, Application::APP_ID, 'board:' . $boardId . ':notify-due', ConfigService::SETTING_BOARD_NOTIFICATION_DUE_ASSIGNED),
+			'calendar' => $this->config->getUserValue($this->userId, Application::APP_ID, 'board:' . $boardId . ':calendar', $globalCalendarConfig),
+			'swimlaneMode' => $this->config->getAppValue(Application::APP_ID, 'board:' . $boardId . ':swimlaneMode', 'none'),
+			'swimlaneLabelOrder' => $this->config->getAppValue(Application::APP_ID, 'board:' . $boardId . ':swimlaneLabelOrder', '[]'),
+			'swimlaneUserOrder' => $this->config->getAppValue(Application::APP_ID, 'board:' . $boardId . ':swimlaneUserOrder', '[]'),
 		];
 		$board->setSettings($settings);
 	}

lib/Service/ConfigService.php

@@ -24,6 +24,8 @@ class ConfigService {
 	public const SETTING_BOARD_NOTIFICATION_DUE_ALL = 'all';
 	public const SETTING_BOARD_NOTIFICATION_DUE_DEFAULT = self::SETTING_BOARD_NOTIFICATION_DUE_ASSIGNED;
 
+	private const SWIMLANE_CONFIG_KEYS = ['swimlaneMode', 'swimlaneLabelOrder', 'swimlaneUserOrder'];
+
 	private ?string $userId = null;
 
 	public function __construct(
@@ -187,16 +189,63 @@ public function set($key, $value) {
 				if (count($parts) < 3) {
 					break;
 				}
+				$boardId = $parts[1];
 				$boardConfigKey = $parts[2];
+				if ($boardId === '' || $boardConfigKey === '') {
+					throw new BadRequestException('Board config key must be in the form board:<id>:<setting>');
+				}
 				if ($boardConfigKey === 'notify-due' && !in_array($value, [self::SETTING_BOARD_NOTIFICATION_DUE_ALL, self::SETTING_BOARD_NOTIFICATION_DUE_ASSIGNED, self::SETTING_BOARD_NOTIFICATION_DUE_OFF], true)) {
 					throw new BadRequestException('Board notification option must be one of: off, assigned, all');
 				}
-				$this->config->setUserValue($userId, Application::APP_ID, $key, (string)$value);
+				if (in_array($boardConfigKey, self::SWIMLANE_CONFIG_KEYS, true)) {
+					// Shared board-level setting (visible to every board member).
+					// EDIT permission is enforced in ConfigController::setValue(),
+					// whose board:(\d+): match requires a numeric board id — so a
+					// numeric id is required here too, otherwise the permission
+					// check could be bypassed.
+					if (!ctype_digit($boardId)) {
+						throw new BadRequestException('Board id must be numeric');
+					}
+					$this->validateSwimlaneValue($boardConfigKey, $value);
+					$this->config->setAppValue(Application::APP_ID, $key, (string)$value);
+				} else {
+					$this->config->setUserValue($userId, Application::APP_ID, $key, (string)$value);
+				}
 				$result = $value;
 		}
 		return $result;
 	}
 
+	/**
+	 * Shared swimlane settings live in app config and are delivered to every
+	 * board member on board load, so reject malformed values before storing.
+	 */
+	private function validateSwimlaneValue(string $boardConfigKey, mixed $value): void {
+		if ($boardConfigKey === 'swimlaneMode') {
+			if (!in_array($value, ['none', 'labels', 'assignees'], true)) {
+				throw new BadRequestException('Swimlane mode must be one of: none, labels, assignees');
+			}
+			return;
+		}
+
+		// swimlaneLabelOrder / swimlaneUserOrder: JSON array of lane ids
+		// (label ids, user ids or the '__none__' catch-all lane).
+		if (!is_string($value) || strlen($value) > 8192) {
+			throw new BadRequestException('Swimlane order must be a JSON array of lane ids');
+		}
+		$order = json_decode($value, true);
+		if (!is_array($order) || !array_is_list($order) || count($order) > 1000) {
+			throw new BadRequestException('Swimlane order must be a JSON array of lane ids');
+		}
+		foreach ($order as $laneId) {
+			$isIntId = is_int($laneId);
+			$isStringId = is_string($laneId) && $laneId !== '' && strlen($laneId) <= 64;
+			if (!$isIntId && !$isStringId) {
+				throw new BadRequestException('Swimlane order entries must be label ids, user ids or "__none__"');
+			}
+		}
+	}
+
 	/**
 	 * @return string[]
 	 */