src/Meezi.API/Controllers/ReservationsController.cs

using FluentValidation;
using Microsoft.AspNetCore.Mvc;
using Meezi.API.Models.Public;
using Meezi.API.Services;
using Meezi.Core.Authorization;
using Meezi.Core.Enums;
using Meezi.Core.Interfaces;
using Meezi.Shared;

namespace Meezi.API.Controllers;

[Route("api/cafes/{cafeId}/reservations")]
public class ReservationsController : CafeApiControllerBase
{
    private readonly IReservationService _reservations;
    private readonly IValidator<CreateReservationRequest> _createValidator;

    public ReservationsController(
        IReservationService reservations,
        IValidator<CreateReservationRequest> createValidator)
    {
        _reservations = reservations;
        _createValidator = createValidator;
    }

    [HttpPost]
    public async Task<IActionResult> Create(
        string cafeId,
        [FromBody] CreateReservationRequest request,
        ITenantContext tenant,
        CancellationToken ct)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (EnsurePermission(tenant, Permission.CreateReservation) is { } permDenied) return permDenied;
        var validation = await _createValidator.ValidateAsync(request, ct);
        if (!validation.IsValid) return BadRequest(ValidationError(validation));

        var data = await _reservations.CreateAsync(cafeId, request, ct);
        if (data is null)
            return BadRequest(new ApiResponse<object>(false, null, new ApiError("INVALID_TABLE", "Table not found.")));

        return Ok(new ApiResponse<ReservationDto>(true, data));
    }

    [HttpGet]
    public async Task<IActionResult> List(
        string cafeId,
        ITenantContext tenant,
        [FromQuery] DateOnly? date,
        [FromQuery] ReservationStatus? status,
        CancellationToken ct)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        var data = await _reservations.GetReservationsAsync(cafeId, date, status, ct);
        return Ok(new ApiResponse<IReadOnlyList<ReservationDto>>(true, data));
    }

    [HttpPatch("{id}/status")]
    public async Task<IActionResult> UpdateStatus(
        string cafeId,
        string id,
        [FromBody] UpdateReservationStatusRequest request,
        ITenantContext tenant,
        CancellationToken ct)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (EnsurePermission(tenant, Permission.EditReservation) is { } permDenied) return permDenied;
        var data = await _reservations.UpdateStatusAsync(cafeId, id, request.Status, ct);
        if (data is null) return NotFoundError();
        return Ok(new ApiResponse<ReservationDto>(true, data));
    }

    [HttpDelete("{id}")]
    public async Task<IActionResult> Delete(
        string cafeId,
        string id,
        ITenantContext tenant,
        CancellationToken ct)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (EnsurePermission(tenant, Permission.DeleteReservation) is { } permDenied) return permDenied;
        var deleted = await _reservations.DeleteAsync(cafeId, id, ct);
        if (!deleted) return NotFoundError();
        return Ok(new ApiResponse<object>(true, new { id }));
    }
}

public record UpdateReservationStatusRequest(ReservationStatus Status);
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`using FluentValidation;`
			`using Microsoft.AspNetCore.Mvc;`
			`using Meezi.API.Models.Public;`
			`using Meezi.API.Services;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`using Meezi.Core.Authorization;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`using Meezi.Core.Enums;`
			`using Meezi.Core.Interfaces;`
			`using Meezi.Shared;`

			`namespace Meezi.API.Controllers;`

			`[Route("api/cafes/{cafeId}/reservations")]`
			`public class ReservationsController : CafeApiControllerBase`
			`{`
			`private readonly IReservationService _reservations;`
			`private readonly IValidator<CreateReservationRequest> _createValidator;`

			`public ReservationsController(`
			`IReservationService reservations,`
			`IValidator<CreateReservationRequest> createValidator)`
			`{`
			`_reservations = reservations;`
			`_createValidator = createValidator;`
			`}`

			`[HttpPost]`
			`public async Task<IActionResult> Create(`
			`string cafeId,`
			`[FromBody] CreateReservationRequest request,`
			`ITenantContext tenant,`
			`CancellationToken ct)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`if (EnsurePermission(tenant, Permission.CreateReservation) is { } permDenied) return permDenied;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`var validation = await _createValidator.ValidateAsync(request, ct);`
			`if (!validation.IsValid) return BadRequest(ValidationError(validation));`

			`var data = await _reservations.CreateAsync(cafeId, request, ct);`
			`if (data is null)`
			`return BadRequest(new ApiResponse<object>(false, null, new ApiError("INVALID_TABLE", "Table not found.")));`

			`return Ok(new ApiResponse<ReservationDto>(true, data));`
			`}`

			`[HttpGet]`
			`public async Task<IActionResult> List(`
			`string cafeId,`
			`ITenantContext tenant,`
			`[FromQuery] DateOnly? date,`
			`[FromQuery] ReservationStatus? status,`
			`CancellationToken ct)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
			`var data = await _reservations.GetReservationsAsync(cafeId, date, status, ct);`
			`return Ok(new ApiResponse<IReadOnlyList<ReservationDto>>(true, data));`
			`}`

			`[HttpPatch("{id}/status")]`
			`public async Task<IActionResult> UpdateStatus(`
			`string cafeId,`
			`string id,`
			`[FromBody] UpdateReservationStatusRequest request,`
			`ITenantContext tenant,`
			`CancellationToken ct)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`if (EnsurePermission(tenant, Permission.EditReservation) is { } permDenied) return permDenied;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`var data = await _reservations.UpdateStatusAsync(cafeId, id, request.Status, ct);`
			`if (data is null) return NotFoundError();`
			`return Ok(new ApiResponse<ReservationDto>(true, data));`
			`}`
feat: delete actions for warehouse/reservations/coupons/customers + Koja listing toggle 2026-06-02 16:14:40 +03:30
			`[HttpDelete("{id}")]`
			`public async Task<IActionResult> Delete(`
			`string cafeId,`
			`string id,`
			`ITenantContext tenant,`
			`CancellationToken ct)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`if (EnsurePermission(tenant, Permission.DeleteReservation) is { } permDenied) return permDenied;`
feat: delete actions for warehouse/reservations/coupons/customers + Koja listing toggle 2026-06-02 16:14:40 +03:30			`var deleted = await _reservations.DeleteAsync(cafeId, id, ct);`
			`if (!deleted) return NotFoundError();`
			`return Ok(new ApiResponse<object>(true, new { id }));`
			`}`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`}`

			`public record UpdateReservationStatusRequest(ReservationStatus Status);`