soroush.asadi
7a5ea75b50
CI/CD / CI · API (dotnet build + test) (push) Successful in 40s
CI/CD / CI · Admin API (dotnet build) (push) Successful in 30s
CI/CD / CI · Dashboard (tsc) (push) Successful in 1m9s
CI/CD / CI · Admin Web (tsc) (push) Successful in 37s
CI/CD / CI · Website (tsc) (push) Successful in 45s
CI/CD / CI · Koja (tsc) (push) Has been cancelled
CI/CD / Deploy · all services (push) Has been cancelled
Closes the gap where the custom-role matrix was defined but unenforced — most write endpoints only checked café membership, so the API would accept writes a role's UI hid. Adds EnsurePermission(...) to all mutating/sensitive endpoints across 32 controllers, mapped to the granular catalog: - menu/inventory/coupons/customers/expenses/reservations/taxes/branches → CRUD perms - tables/queue/kitchen-stations/print-settings → manage perms - orders → ProcessOrders / EditOrder / VoidOrder / UpdateOrderStatus / HandlePayments, payment corrections → ManageFinancials - HR → CreateStaff / ManageSchedules / ReviewLeave / View+ManageSalaries / ManageStaffCredentials (self-service clock-in/leave preserved) - reports → ViewReports, export → ExportReports, audit → ViewAuditLog - billing → ManageBilling, sms → SendSms/ManageSmsSettings, reviews → ManageReviews, discover/public profile → ManageDiscoverProfile, café settings → ManageCafeSettings, custom roles → ManageRoles Removes legacy [Authorize(Roles=...)] attributes that would have overridden the permission model (orders, branch-menu, pos-device, print). Manual discount/comp have no backend endpoint yet (discounts come from coupons) — gated on the POS UI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
255 lines
10 KiB
C#
255 lines
10 KiB
C#
using FluentValidation;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
using Meezi.API.Models.Tables;
|
|
using Meezi.API.Services;
|
|
using Meezi.Core.Authorization;
|
|
using Meezi.Core.Enums;
|
|
using Meezi.Core.Interfaces;
|
|
using Meezi.Shared;
|
|
|
|
namespace Meezi.API.Controllers;
|
|
|
|
[Route("api/cafes/{cafeId}/branches/{branchId}/tables")]
|
|
public class BranchTablesController : CafeApiControllerBase
|
|
{
|
|
private readonly ITableService _tables;
|
|
private readonly IValidator<CreateBranchTableRequest> _createTableValidator;
|
|
private readonly IValidator<PatchBranchTableRequest> _patchTableValidator;
|
|
private readonly IValidator<CreateTableSectionRequest> _createSectionValidator;
|
|
private readonly IValidator<PatchTableSectionRequest> _patchSectionValidator;
|
|
private readonly IValidator<SetTableCleaningRequest> _cleaningValidator;
|
|
|
|
public BranchTablesController(
|
|
ITableService tables,
|
|
IValidator<CreateBranchTableRequest> createTableValidator,
|
|
IValidator<PatchBranchTableRequest> patchTableValidator,
|
|
IValidator<CreateTableSectionRequest> createSectionValidator,
|
|
IValidator<PatchTableSectionRequest> patchSectionValidator,
|
|
IValidator<SetTableCleaningRequest> cleaningValidator)
|
|
{
|
|
_tables = tables;
|
|
_createTableValidator = createTableValidator;
|
|
_patchTableValidator = patchTableValidator;
|
|
_createSectionValidator = createSectionValidator;
|
|
_patchSectionValidator = patchSectionValidator;
|
|
_cleaningValidator = cleaningValidator;
|
|
}
|
|
|
|
[HttpGet("board")]
|
|
public async Task<IActionResult> GetBoard(
|
|
string cafeId,
|
|
string branchId,
|
|
ITenantContext tenant,
|
|
[FromQuery] bool activeOnly = true,
|
|
CancellationToken ct = default)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var data = await _tables.GetBranchTableBoardAsync(cafeId, branchId, activeOnly, ct);
|
|
return Ok(new ApiResponse<IReadOnlyList<TableBoardDto>>(true, data));
|
|
}
|
|
|
|
[HttpGet]
|
|
public async Task<IActionResult> GetTables(
|
|
string cafeId,
|
|
string branchId,
|
|
ITenantContext tenant,
|
|
CancellationToken ct = default)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var data = await _tables.GetBranchTablesAsync(cafeId, branchId, ct);
|
|
if (data is null) return NotFoundError("Branch not found.");
|
|
return Ok(new ApiResponse<IReadOnlyList<TableDto>>(true, data));
|
|
}
|
|
|
|
[HttpPost]
|
|
public async Task<IActionResult> CreateTable(
|
|
string cafeId,
|
|
string branchId,
|
|
[FromBody] CreateBranchTableRequest request,
|
|
ITenantContext tenant,
|
|
CancellationToken ct)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var validation = await _createTableValidator.ValidateAsync(request, ct);
|
|
if (!validation.IsValid) return BadRequest(ValidationError(validation));
|
|
|
|
var result = await _tables.CreateBranchTableAsync(cafeId, branchId, request, ct);
|
|
return BranchOpResult(result);
|
|
}
|
|
|
|
[HttpPatch("{id}")]
|
|
public async Task<IActionResult> PatchTable(
|
|
string cafeId,
|
|
string branchId,
|
|
string id,
|
|
[FromBody] PatchBranchTableRequest request,
|
|
ITenantContext tenant,
|
|
CancellationToken ct)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var validation = await _patchTableValidator.ValidateAsync(request, ct);
|
|
if (!validation.IsValid) return BadRequest(ValidationError(validation));
|
|
|
|
var result = await _tables.PatchBranchTableAsync(cafeId, branchId, id, request, ct);
|
|
return BranchOpResult(result);
|
|
}
|
|
|
|
[HttpDelete("{id}")]
|
|
public async Task<IActionResult> DeleteTable(
|
|
string cafeId,
|
|
string branchId,
|
|
string id,
|
|
ITenantContext tenant,
|
|
CancellationToken ct)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var result = await _tables.DeleteBranchTableAsync(cafeId, branchId, id, ct);
|
|
return BranchOpResult(result);
|
|
}
|
|
|
|
[HttpPatch("{id}/cleaning")]
|
|
public async Task<IActionResult> SetCleaning(
|
|
string cafeId,
|
|
string branchId,
|
|
string id,
|
|
[FromBody] SetTableCleaningRequest request,
|
|
ITenantContext tenant,
|
|
CancellationToken ct)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var validation = await _cleaningValidator.ValidateAsync(request, ct);
|
|
if (!validation.IsValid) return BadRequest(ValidationError(validation));
|
|
|
|
var data = await _tables.SetTableCleaningAsync(cafeId, id, request.IsCleaning, ct);
|
|
if (data is null || data.BranchId != branchId) return NotFoundError();
|
|
return Ok(new ApiResponse<TableBoardDto>(true, data));
|
|
}
|
|
|
|
[HttpGet("{id}/qr")]
|
|
public async Task<IActionResult> GetQrPng(
|
|
string cafeId,
|
|
string branchId,
|
|
string id,
|
|
ITenantContext tenant,
|
|
CancellationToken ct)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var png = await _tables.GetQrPngAsync(cafeId, id, ct);
|
|
if (png is null) return NotFoundError();
|
|
return File(png, "image/png", $"table-{id}-qr.png");
|
|
}
|
|
|
|
[HttpGet("sections")]
|
|
public async Task<IActionResult> GetSections(
|
|
string cafeId,
|
|
string branchId,
|
|
ITenantContext tenant,
|
|
CancellationToken ct = default)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var data = await _tables.GetBranchSectionsAsync(cafeId, branchId, ct);
|
|
if (data is null) return NotFoundError("Branch not found.");
|
|
return Ok(new ApiResponse<IReadOnlyList<TableSectionDto>>(true, data));
|
|
}
|
|
|
|
[HttpPost("sections")]
|
|
public async Task<IActionResult> CreateSection(
|
|
string cafeId,
|
|
string branchId,
|
|
[FromBody] CreateTableSectionRequest request,
|
|
ITenantContext tenant,
|
|
CancellationToken ct = default)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var validation = await _createSectionValidator.ValidateAsync(request, ct);
|
|
if (!validation.IsValid) return BadRequest(ValidationError(validation));
|
|
|
|
var result = await _tables.CreateBranchSectionAsync(cafeId, branchId, request, ct);
|
|
return BranchOpResult(result);
|
|
}
|
|
|
|
[HttpPatch("sections/{sectionId}")]
|
|
public async Task<IActionResult> PatchSection(
|
|
string cafeId,
|
|
string branchId,
|
|
string sectionId,
|
|
[FromBody] PatchTableSectionRequest request,
|
|
ITenantContext tenant,
|
|
CancellationToken ct = default)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var validation = await _patchSectionValidator.ValidateAsync(request, ct);
|
|
if (!validation.IsValid) return BadRequest(ValidationError(validation));
|
|
|
|
var result = await _tables.PatchBranchSectionAsync(cafeId, branchId, sectionId, request, ct);
|
|
return BranchOpResult(result);
|
|
}
|
|
|
|
[HttpDelete("sections/{sectionId}")]
|
|
public async Task<IActionResult> DeleteSection(
|
|
string cafeId,
|
|
string branchId,
|
|
string sectionId,
|
|
ITenantContext tenant,
|
|
CancellationToken ct = default)
|
|
{
|
|
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
|
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
|
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
|
return Forbid();
|
|
|
|
var result = await _tables.DeleteBranchSectionAsync(cafeId, branchId, sectionId, ct);
|
|
return BranchOpResult(result);
|
|
}
|
|
|
|
private IActionResult BranchOpResult<T>(BranchTableOperationResult<T> result)
|
|
{
|
|
if (result.Success && result.Data is not null)
|
|
return Ok(new ApiResponse<T>(true, result.Data));
|
|
|
|
var code = result.ErrorCode ?? "REQUEST_FAILED";
|
|
var status = code is "TABLE_HAS_OPEN_ORDER" or "TABLE_SECTION_HAS_TABLES"
|
|
? StatusCodes.Status409Conflict
|
|
: StatusCodes.Status400BadRequest;
|
|
return StatusCode(status,
|
|
new ApiResponse<object>(false, null, new ApiError(code, result.Message ?? code)));
|
|
}
|
|
|
|
}
|