logaritmisk/biggus-dickus
1
0
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: edit/delete terms — audited, blocked when referenced (#30)

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Anders Olsson
2026-06-05 18:43:02 +02:00
parent f6053068be
commit 09baf2949f
6 changed files with 542 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
crates/api/src/admin_vocab.rs
+139 -1
View File
@@ -5,9 +5,10 @@ use axum::{
Json, Router,
extract::{Path, State},
http::StatusCode,
response::{IntoResponse, Response},
routing::get,
};
use domain::{AuditActor, LocalizedLabel, NewTerm, VocabularyId};
use domain::{AuditActor, LocalizedLabel, NewTerm, TermId, VocabularyId};
use serde::{Deserialize, Serialize};
use utoipa::ToSchema;
@@ -221,6 +222,139 @@ pub(crate) async fn add_term(
))
}
/// 409 body: how many catalogue objects still reference the entity.
#[derive(Serialize, ToSchema)]
pub(crate) struct InUseView {
pub count: i64,
}
#[derive(Deserialize, ToSchema)]
pub(crate) struct UpdateTermRequest {
pub external_uri: Option<String>,
pub labels: Vec<LabelInput>,
}
#[utoipa::path(
patch, path = "/api/admin/vocabularies/{id}/terms/{term_id}",
request_body = UpdateTermRequest,
params(
("id" = String, Path, description = "Vocabulary id (UUID)"),
("term_id" = String, Path, description = "Term id (UUID)")
),
responses(
(status = 204),
(status = 401),
(status = 403),
(status = 404)
)
)]
pub(crate) async fn update_term(
auth: Authorized<EditCatalogue>,
State(state): State<AppState>,
Path((id, term_id)): Path<(String, String)>,
Json(req): Json<UpdateTermRequest>,
) -> Result<StatusCode, StatusCode> {
let vocabulary_id = id
.parse::<VocabularyId>()
.map_err(|_| StatusCode::NOT_FOUND)?;
let term_id = term_id
.parse::<TermId>()
.map_err(|_| StatusCode::NOT_FOUND)?;
let labels: Vec<LocalizedLabel> = req
.labels
.into_iter()
.map(|l| LocalizedLabel {
lang: l.lang,
label: l.label,
})
.collect();
let mut tx = state
.db
.pool()
.begin()
.await
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
let existed = db::vocab::update_term(
&mut tx,
AuditActor::User(auth.user.id.to_uuid()),
vocabulary_id,
term_id,
req.external_uri.as_deref(),
&labels,
)
.await
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
if existed {
tx.commit()
.await
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
Ok(StatusCode::NO_CONTENT)
} else {
Err(StatusCode::NOT_FOUND)
}
}
#[utoipa::path(
delete, path = "/api/admin/vocabularies/{id}/terms/{term_id}",
params(
("id" = String, Path, description = "Vocabulary id (UUID)"),
("term_id" = String, Path, description = "Term id (UUID)")
),
responses(
(status = 204),
(status = 401),
(status = 403),
(status = 404),
(status = 409, body = InUseView, description = "Referenced by catalogue objects")
)
)]
pub(crate) async fn delete_term(
auth: Authorized<EditCatalogue>,
State(state): State<AppState>,
Path((id, term_id)): Path<(String, String)>,
) -> Response {
let (Ok(vocab_id), Ok(term_id)) = (id.parse::<VocabularyId>(), term_id.parse::<TermId>())
else {
return StatusCode::NOT_FOUND.into_response();
};
let Ok(mut tx) = state.db.pool().begin().await else {
return StatusCode::INTERNAL_SERVER_ERROR.into_response();
};
let outcome = db::vocab::delete_term(
&mut tx,
AuditActor::User(auth.user.id.to_uuid()),
vocab_id,
term_id,
)
.await;
match outcome {
Ok(db::DeleteOutcome::Deleted) => match tx.commit().await {
Ok(()) => StatusCode::NO_CONTENT.into_response(),
Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
},
Ok(db::DeleteOutcome::InUse { count }) => {
let _ = tx.rollback().await;
(StatusCode::CONFLICT, Json(InUseView { count })).into_response()
}
Ok(db::DeleteOutcome::NotFound) => {
let _ = tx.rollback().await;
StatusCode::NOT_FOUND.into_response()
}
Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
}
}
pub(crate) fn routes() -> Router<AppState> {
Router::new()
.route(
@@ -231,4 +365,8 @@ pub(crate) fn routes() -> Router<AppState> {
"/api/admin/vocabularies/{id}/terms",
get(list_terms).post(add_term),
)
.route(
"/api/admin/vocabularies/{id}/terms/{term_id}",
axum::routing::patch(update_term).delete(delete_term),
)
}
crates/api/src/openapi.rs
+4
View File
@@ -31,6 +31,8 @@ use crate::{
admin_vocab::create_vocabulary,
admin_vocab::list_terms,
admin_vocab::add_term,
admin_vocab::update_term,
admin_vocab::delete_term,
admin_search::search_objects,
admin_authorities::list_authorities,
admin_authorities::create_authority
@@ -60,6 +62,8 @@ use crate::{
admin_vocab::LabelInput,
admin_vocab::TermView,
admin_vocab::CreatedId,
admin_vocab::UpdateTermRequest,
admin_vocab::InUseView,
admin_search::SearchHitView,
admin_search::SearchResultsView,
admin_authorities::AuthorityView,
crates/api/tests/admin_catalog.rs
+126
View File
@@ -333,3 +333,129 @@ async fn creating_a_vocabulary_writes_an_audit_entry(pool: PgPool) {
"expected actor to be a user"
);
}
async fn send(
app: &axum::Router,
cookie: &str,
method: &str,
uri: &str,
body: Option<&str>,
) -> axum::http::Response<Body> {
let mut req = Request::builder()
.method(method)
.uri(uri)
.header(header::COOKIE, cookie);
if body.is_some() {
req = req.header(header::CONTENT_TYPE, "application/json");
}
let body = body
.map(|b| Body::from(b.to_owned()))
.unwrap_or_else(Body::empty);
app.clone().oneshot(req.body(body).unwrap()).await.unwrap()
}
#[sqlx::test(migrations = "../db/migrations")]
async fn edit_and_delete_term(pool: PgPool) {
migrate_sessions(&db::Db::from_pool(pool.clone()))
.await
.unwrap();
seed_user(&pool, "ed@example.com", "pw-editor-123", Role::Editor).await;
let app = build_app(state(pool));
let cookie = login(&app, "ed@example.com", "pw-editor-123").await;
let v = send(
&app,
&cookie,
"POST",
"/api/admin/vocabularies",
Some(r#"{"key":"material"}"#),
)
.await;
let vid: serde_json::Value =
serde_json::from_slice(&v.into_body().collect().await.unwrap().to_bytes()).unwrap();
let vid = vid["id"].as_str().unwrap().to_owned();
let t = send(
&app,
&cookie,
"POST",
&format!("/api/admin/vocabularies/{vid}/terms"),
Some(r#"{"external_uri":null,"labels":[{"lang":"sv","label":"Trä"}]}"#),
)
.await;
let tid: serde_json::Value =
serde_json::from_slice(&t.into_body().collect().await.unwrap().to_bytes()).unwrap();
let tid = tid["id"].as_str().unwrap().to_owned();
let patched = send(
&app,
&cookie,
"PATCH",
&format!("/api/admin/vocabularies/{vid}/terms/{tid}"),
Some(r#"{"external_uri":"https://x","labels":[{"lang":"sv","label":"Träslag"}]}"#),
)
.await;
assert_eq!(patched.status(), StatusCode::NO_CONTENT);
let deleted = send(
&app,
&cookie,
"DELETE",
&format!("/api/admin/vocabularies/{vid}/terms/{tid}"),
None,
)
.await;
assert_eq!(deleted.status(), StatusCode::NO_CONTENT);
let again = send(
&app,
&cookie,
"DELETE",
&format!("/api/admin/vocabularies/{vid}/terms/{tid}"),
None,
)
.await;
assert_eq!(again.status(), StatusCode::NOT_FOUND);
}
#[sqlx::test(migrations = "../db/migrations")]
async fn term_edit_delete_requires_auth(pool: PgPool) {
migrate_sessions(&db::Db::from_pool(pool.clone()))
.await
.unwrap();
let app = build_app(state(pool));
let term_uri = "/api/admin/vocabularies/00000000-0000-0000-0000-000000000000/terms/00000000-0000-0000-0000-000000000000";
let patch_resp = app
.clone()
.oneshot(
Request::builder()
.method("PATCH")
.uri(term_uri)
.header(header::CONTENT_TYPE, "application/json")
.body(Body::from(r#"{"labels":[]}"#))
.unwrap(),
)
.await
.unwrap();
assert_eq!(patch_resp.status(), StatusCode::UNAUTHORIZED);
let delete_resp = app
.clone()
.oneshot(
Request::builder()
.method("DELETE")
.uri(term_uri)
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(delete_resp.status(), StatusCode::UNAUTHORIZED);
}