From 3f4da46b78ca9e7f0a9c355a9b099684e98f7aa8 Mon Sep 17 00:00:00 2001 From: Anders Olsson Date: Tue, 2 Jun 2026 21:59:14 +0200 Subject: [PATCH] feat(api): admin object create/update/delete (EditCatalogue, audited as user) POST /api/admin/objects (draft|internal only; public rejected 422), PUT /api/admin/objects/{id} (preserves visibility; 204/404), DELETE /api/admin/objects/{id} (204/404). Every write records AuditActor::User(). Tests: lifecycle, public-rejection, unauthenticated-rejection. Co-Authored-By: Claude Sonnet 4.6 --- crates/api/src/admin_objects.rs | 216 ++++++++++++++++++++++++++++-- crates/api/src/openapi.rs | 10 +- crates/api/tests/admin_objects.rs | 133 ++++++++++++++++++ 3 files changed, 349 insertions(+), 10 deletions(-) diff --git a/crates/api/src/admin_objects.rs b/crates/api/src/admin_objects.rs index 24b5209..0b9bfa3 100644 --- a/crates/api/src/admin_objects.rs +++ b/crates/api/src/admin_objects.rs @@ -1,7 +1,7 @@ //! Admin catalogue-object surface (authenticated). Reads require `ViewInternal`; -//! writes require `EditCatalogue` (added in later tasks). +//! writes require `EditCatalogue`. -use auth::{Authorized, ViewInternal}; +use auth::{AuthUser, Authorized, EditCatalogue, ViewInternal}; use axum::{ Json, Router, extract::{Path, Query, State}, @@ -9,8 +9,8 @@ use axum::{ response::IntoResponse, routing::get, }; -use domain::{CatalogueObject, ObjectId}; -use serde::Serialize; +use domain::{AuditActor, CatalogueObject, ObjectId, ObjectInput, Visibility}; +use serde::{Deserialize, Serialize}; use utoipa::ToSchema; use crate::{AppState, pagination::Pagination}; @@ -77,8 +77,6 @@ pub(crate) fn format_date(d: time::Date) -> String { } /// Parse a `YYYY-MM-DD` string into a `time::Date`, returning 422 on failure. -// Used by write handlers added in later tasks. -#[allow(dead_code)] pub(crate) fn parse_date(s: &str) -> Result { let fmt = time::macros::format_description!("[year]-[month]-[day]"); @@ -148,9 +146,211 @@ pub(crate) async fn get_object( } } +/// Inventory-minimum fields for create. `recording_date` is `YYYY-MM-DD`. +#[derive(Deserialize, ToSchema)] +pub(crate) struct ObjectCreateRequest { + pub object_number: String, + pub object_name: String, + pub number_of_objects: i32, + pub brief_description: Option, + pub current_location: Option, + pub current_owner: Option, + pub recorder: Option, + pub recording_date: Option, + /// "draft" | "internal" (public is rejected — publish via the visibility endpoint). + #[schema(value_type = String)] + pub visibility: Visibility, +} + +/// Inventory-minimum fields for update. Visibility is intentionally absent — it changes +/// only through the stepwise publish endpoint. +#[derive(Deserialize, ToSchema)] +pub(crate) struct ObjectUpdateRequest { + pub object_number: String, + pub object_name: String, + pub number_of_objects: i32, + pub brief_description: Option, + pub current_location: Option, + pub current_owner: Option, + pub recorder: Option, + pub recording_date: Option, +} + +/// The id of a newly created object. +#[derive(Serialize, ToSchema)] +pub(crate) struct CreatedObject { + pub id: String, +} + +fn actor(user: &AuthUser) -> AuditActor { + AuditActor::User(user.id.to_uuid()) +} + +/// Create an object (initial visibility Draft or Internal). Requires `EditCatalogue`. +#[utoipa::path( + post, path = "/api/admin/objects", request_body = ObjectCreateRequest, + responses( + (status = 201, body = CreatedObject), + (status = 401), + (status = 403), + (status = 422, description = "Invalid input (e.g. visibility=public or bad date)") + ) +)] +pub(crate) async fn create_object( + auth: Authorized, + State(state): State, + Json(req): Json, +) -> Result<(StatusCode, Json), StatusCode> { + if req.visibility == Visibility::Public { + return Err(StatusCode::UNPROCESSABLE_ENTITY); + } + + let recording_date = req.recording_date.as_deref().map(parse_date).transpose()?; + + let input = ObjectInput { + object_number: req.object_number, + object_name: req.object_name, + number_of_objects: req.number_of_objects, + brief_description: req.brief_description, + current_location: req.current_location, + current_owner: req.current_owner, + recorder: req.recorder, + recording_date, + visibility: req.visibility, + }; + + let mut tx = state + .db + .pool() + .begin() + .await + .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?; + + let id = db::catalog::create_object(&mut tx, actor(&auth.user), &input) + .await + .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?; + + tx.commit() + .await + .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?; + + Ok(( + StatusCode::CREATED, + Json(CreatedObject { id: id.to_string() }), + )) +} + +/// Update an object's inventory-minimum fields (NOT visibility). Requires `EditCatalogue`. +#[utoipa::path( + put, path = "/api/admin/objects/{id}", request_body = ObjectUpdateRequest, + params(("id" = String, Path, description = "Object id (UUID)")), + responses( + (status = 204), + (status = 401), + (status = 403), + (status = 404), + (status = 422) + ) +)] +pub(crate) async fn update_object( + auth: Authorized, + State(state): State, + Path(id): Path, + Json(req): Json, +) -> Result { + let object_id = id.parse::().map_err(|_| StatusCode::NOT_FOUND)?; + + let recording_date = req.recording_date.as_deref().map(parse_date).transpose()?; + + // Read current visibility so the update preserves it — visibility changes only + // through the stepwise publish endpoint. + let Some(current) = db::catalog::object_by_id(state.db.pool(), object_id) + .await + .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)? + else { + return Err(StatusCode::NOT_FOUND); + }; + + let input = ObjectInput { + object_number: req.object_number, + object_name: req.object_name, + number_of_objects: req.number_of_objects, + brief_description: req.brief_description, + current_location: req.current_location, + current_owner: req.current_owner, + recorder: req.recorder, + recording_date, + visibility: current.visibility, + }; + + let mut tx = state + .db + .pool() + .begin() + .await + .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?; + + let existed = db::catalog::update_object(&mut tx, actor(&auth.user), object_id, &input) + .await + .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?; + + tx.commit() + .await + .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?; + + if existed { + Ok(StatusCode::NO_CONTENT) + } else { + Err(StatusCode::NOT_FOUND) + } +} + +/// Delete an object. Requires `EditCatalogue`. 404 if it did not exist. +#[utoipa::path( + delete, path = "/api/admin/objects/{id}", + params(("id" = String, Path, description = "Object id (UUID)")), + responses( + (status = 204), + (status = 401), + (status = 403), + (status = 404) + ) +)] +pub(crate) async fn delete_object( + auth: Authorized, + State(state): State, + Path(id): Path, +) -> Result { + let object_id = id.parse::().map_err(|_| StatusCode::NOT_FOUND)?; + + let mut tx = state + .db + .pool() + .begin() + .await + .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?; + + let existed = db::catalog::delete_object(&mut tx, actor(&auth.user), object_id) + .await + .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?; + + tx.commit() + .await + .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?; + + if existed { + Ok(StatusCode::NO_CONTENT) + } else { + Err(StatusCode::NOT_FOUND) + } +} + /// Admin object routes, parameterized over [`AppState`]. pub(crate) fn routes() -> Router { Router::new() - .route("/api/admin/objects", get(list_objects)) - .route("/api/admin/objects/{id}", get(get_object)) + .route("/api/admin/objects", get(list_objects).post(create_object)) + .route( + "/api/admin/objects/{id}", + get(get_object).put(update_object).delete(delete_object), + ) } diff --git a/crates/api/src/openapi.rs b/crates/api/src/openapi.rs index cd4e72c..4d6ec26 100644 --- a/crates/api/src/openapi.rs +++ b/crates/api/src/openapi.rs @@ -16,7 +16,10 @@ use crate::{AppState, admin, admin_objects, health, public}; admin::list_users, admin::set_visibility, admin_objects::list_objects, - admin_objects::get_object + admin_objects::get_object, + admin_objects::create_object, + admin_objects::update_object, + admin_objects::delete_object ), components(schemas( health::Live, @@ -28,7 +31,10 @@ use crate::{AppState, admin, admin_objects, health, public}; admin::VisibilityRequest, admin_objects::AdminObjectView, admin_objects::AdminObjectPage, - admin_objects::LabelView + admin_objects::LabelView, + admin_objects::ObjectCreateRequest, + admin_objects::ObjectUpdateRequest, + admin_objects::CreatedObject )), info(title = "Collection Management System", version = "0.0.0") )] diff --git a/crates/api/tests/admin_objects.rs b/crates/api/tests/admin_objects.rs index 7aeb492..12fcda5 100644 --- a/crates/api/tests/admin_objects.rs +++ b/crates/api/tests/admin_objects.rs @@ -219,3 +219,136 @@ async fn get_by_id_returns_full_view(pool: PgPool) { .unwrap(); assert_eq!(missing.status(), StatusCode::NOT_FOUND); } + +#[sqlx::test(migrations = "../db/migrations")] +async fn create_update_delete_lifecycle(pool: PgPool) { + migrate_sessions(&db::Db::from_pool(pool.clone())) + .await + .unwrap(); + + seed_user(&pool, "ed@example.com", "pw-editor-123", Role::Editor).await; + + let app = build_app(state(pool.clone())); + let cookie = login(&app, "ed@example.com", "pw-editor-123").await; + + // create (internal allowed) + let create = app + .clone() + .oneshot( + Request::builder() + .method("POST") + .uri("/api/admin/objects") + .header(header::COOKIE, &cookie) + .header(header::CONTENT_TYPE, "application/json") + .body(Body::from( + r#"{"object_number":"A-1","object_name":"amphora","number_of_objects":1,"visibility":"internal"}"#, + )) + .unwrap(), + ) + .await + .unwrap(); + assert_eq!(create.status(), StatusCode::CREATED); + + let created: serde_json::Value = + serde_json::from_slice(&create.into_body().collect().await.unwrap().to_bytes()).unwrap(); + let id = created["id"].as_str().unwrap().to_owned(); + + // update (name change; visibility omitted and unchanged) + let update = app + .clone() + .oneshot( + Request::builder() + .method("PUT") + .uri(format!("/api/admin/objects/{id}")) + .header(header::COOKIE, &cookie) + .header(header::CONTENT_TYPE, "application/json") + .body(Body::from( + r#"{"object_number":"A-1","object_name":"big amphora","number_of_objects":2}"#, + )) + .unwrap(), + ) + .await + .unwrap(); + assert_eq!(update.status(), StatusCode::NO_CONTENT); + + let db = db::Db::from_pool(pool.clone()); + let obj = catalog::object_by_id(db.pool(), id.parse().unwrap()) + .await + .unwrap() + .unwrap(); + assert_eq!(obj.object_name, "big amphora"); + assert_eq!(obj.visibility, Visibility::Internal); // unchanged by update + + // delete + let del = app + .clone() + .oneshot( + Request::builder() + .method("DELETE") + .uri(format!("/api/admin/objects/{id}")) + .header(header::COOKIE, &cookie) + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + assert_eq!(del.status(), StatusCode::NO_CONTENT); + assert!( + catalog::object_by_id(db.pool(), id.parse().unwrap()) + .await + .unwrap() + .is_none() + ); +} + +#[sqlx::test(migrations = "../db/migrations")] +async fn create_rejects_public_visibility(pool: PgPool) { + migrate_sessions(&db::Db::from_pool(pool.clone())) + .await + .unwrap(); + + seed_user(&pool, "ed@example.com", "pw-editor-123", Role::Editor).await; + + let app = build_app(state(pool)); + let cookie = login(&app, "ed@example.com", "pw-editor-123").await; + + let resp = app + .oneshot( + Request::builder() + .method("POST") + .uri("/api/admin/objects") + .header(header::COOKIE, &cookie) + .header(header::CONTENT_TYPE, "application/json") + .body(Body::from( + r#"{"object_number":"A-1","object_name":"x","number_of_objects":1,"visibility":"public"}"#, + )) + .unwrap(), + ) + .await + .unwrap(); + assert_eq!(resp.status(), StatusCode::UNPROCESSABLE_ENTITY); +} + +#[sqlx::test(migrations = "../db/migrations")] +async fn create_requires_auth(pool: PgPool) { + migrate_sessions(&db::Db::from_pool(pool.clone())) + .await + .unwrap(); + + let app = build_app(state(pool)); + + let resp = app + .oneshot( + Request::builder() + .method("POST") + .uri("/api/admin/objects") + .header(header::CONTENT_TYPE, "application/json") + .body(Body::from( + r#"{"object_number":"A-1","object_name":"x","number_of_objects":1,"visibility":"draft"}"#, + )) + .unwrap(), + ) + .await + .unwrap(); + assert_eq!(resp.status(), StatusCode::UNAUTHORIZED); +}