src/Meezi.API/Controllers/BranchTablesController.cs

using FluentValidation;
using Microsoft.AspNetCore.Mvc;
using Meezi.API.Models.Tables;
using Meezi.API.Services;
using Meezi.Core.Authorization;
using Meezi.Core.Enums;
using Meezi.Core.Interfaces;
using Meezi.Shared;

namespace Meezi.API.Controllers;

[Route("api/cafes/{cafeId}/branches/{branchId}/tables")]
public class BranchTablesController : CafeApiControllerBase
{
    private readonly ITableService _tables;
    private readonly IValidator<CreateBranchTableRequest> _createTableValidator;
    private readonly IValidator<PatchBranchTableRequest> _patchTableValidator;
    private readonly IValidator<CreateTableSectionRequest> _createSectionValidator;
    private readonly IValidator<PatchTableSectionRequest> _patchSectionValidator;
    private readonly IValidator<SetTableCleaningRequest> _cleaningValidator;

    public BranchTablesController(
        ITableService tables,
        IValidator<CreateBranchTableRequest> createTableValidator,
        IValidator<PatchBranchTableRequest> patchTableValidator,
        IValidator<CreateTableSectionRequest> createSectionValidator,
        IValidator<PatchTableSectionRequest> patchSectionValidator,
        IValidator<SetTableCleaningRequest> cleaningValidator)
    {
        _tables = tables;
        _createTableValidator = createTableValidator;
        _patchTableValidator = patchTableValidator;
        _createSectionValidator = createSectionValidator;
        _patchSectionValidator = patchSectionValidator;
        _cleaningValidator = cleaningValidator;
    }

    [HttpGet("board")]
    public async Task<IActionResult> GetBoard(
        string cafeId,
        string branchId,
        ITenantContext tenant,
        [FromQuery] bool activeOnly = true,
        CancellationToken ct = default)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var data = await _tables.GetBranchTableBoardAsync(cafeId, branchId, activeOnly, ct);
        return Ok(new ApiResponse<IReadOnlyList<TableBoardDto>>(true, data));
    }

    [HttpGet]
    public async Task<IActionResult> GetTables(
        string cafeId,
        string branchId,
        ITenantContext tenant,
        CancellationToken ct = default)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var data = await _tables.GetBranchTablesAsync(cafeId, branchId, ct);
        if (data is null) return NotFoundError("Branch not found.");
        return Ok(new ApiResponse<IReadOnlyList<TableDto>>(true, data));
    }

    [HttpPost]
    public async Task<IActionResult> CreateTable(
        string cafeId,
        string branchId,
        [FromBody] CreateBranchTableRequest request,
        ITenantContext tenant,
        CancellationToken ct)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var validation = await _createTableValidator.ValidateAsync(request, ct);
        if (!validation.IsValid) return BadRequest(ValidationError(validation));

        var result = await _tables.CreateBranchTableAsync(cafeId, branchId, request, ct);
        return BranchOpResult(result);
    }

    [HttpPatch("{id}")]
    public async Task<IActionResult> PatchTable(
        string cafeId,
        string branchId,
        string id,
        [FromBody] PatchBranchTableRequest request,
        ITenantContext tenant,
        CancellationToken ct)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var validation = await _patchTableValidator.ValidateAsync(request, ct);
        if (!validation.IsValid) return BadRequest(ValidationError(validation));

        var result = await _tables.PatchBranchTableAsync(cafeId, branchId, id, request, ct);
        return BranchOpResult(result);
    }

    [HttpDelete("{id}")]
    public async Task<IActionResult> DeleteTable(
        string cafeId,
        string branchId,
        string id,
        ITenantContext tenant,
        CancellationToken ct)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var result = await _tables.DeleteBranchTableAsync(cafeId, branchId, id, ct);
        return BranchOpResult(result);
    }

    [HttpPatch("{id}/cleaning")]
    public async Task<IActionResult> SetCleaning(
        string cafeId,
        string branchId,
        string id,
        [FromBody] SetTableCleaningRequest request,
        ITenantContext tenant,
        CancellationToken ct)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var validation = await _cleaningValidator.ValidateAsync(request, ct);
        if (!validation.IsValid) return BadRequest(ValidationError(validation));

        var data = await _tables.SetTableCleaningAsync(cafeId, id, request.IsCleaning, ct);
        if (data is null || data.BranchId != branchId) return NotFoundError();
        return Ok(new ApiResponse<TableBoardDto>(true, data));
    }

    [HttpGet("{id}/qr")]
    public async Task<IActionResult> GetQrPng(
        string cafeId,
        string branchId,
        string id,
        ITenantContext tenant,
        CancellationToken ct)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var png = await _tables.GetQrPngAsync(cafeId, id, ct);
        if (png is null) return NotFoundError();
        return File(png, "image/png", $"table-{id}-qr.png");
    }

    [HttpGet("sections")]
    public async Task<IActionResult> GetSections(
        string cafeId,
        string branchId,
        ITenantContext tenant,
        CancellationToken ct = default)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var data = await _tables.GetBranchSectionsAsync(cafeId, branchId, ct);
        if (data is null) return NotFoundError("Branch not found.");
        return Ok(new ApiResponse<IReadOnlyList<TableSectionDto>>(true, data));
    }

    [HttpPost("sections")]
    public async Task<IActionResult> CreateSection(
        string cafeId,
        string branchId,
        [FromBody] CreateTableSectionRequest request,
        ITenantContext tenant,
        CancellationToken ct = default)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var validation = await _createSectionValidator.ValidateAsync(request, ct);
        if (!validation.IsValid) return BadRequest(ValidationError(validation));

        var result = await _tables.CreateBranchSectionAsync(cafeId, branchId, request, ct);
        return BranchOpResult(result);
    }

    [HttpPatch("sections/{sectionId}")]
    public async Task<IActionResult> PatchSection(
        string cafeId,
        string branchId,
        string sectionId,
        [FromBody] PatchTableSectionRequest request,
        ITenantContext tenant,
        CancellationToken ct = default)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var validation = await _patchSectionValidator.ValidateAsync(request, ct);
        if (!validation.IsValid) return BadRequest(ValidationError(validation));

        var result = await _tables.PatchBranchSectionAsync(cafeId, branchId, sectionId, request, ct);
        return BranchOpResult(result);
    }

    [HttpDelete("sections/{sectionId}")]
    public async Task<IActionResult> DeleteSection(
        string cafeId,
        string branchId,
        string sectionId,
        ITenantContext tenant,
        CancellationToken ct = default)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
        if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
            return Forbid();

        var result = await _tables.DeleteBranchSectionAsync(cafeId, branchId, sectionId, ct);
        return BranchOpResult(result);
    }

    private IActionResult BranchOpResult<T>(BranchTableOperationResult<T> result)
    {
        if (result.Success && result.Data is not null)
            return Ok(new ApiResponse<T>(true, result.Data));

        var code = result.ErrorCode ?? "REQUEST_FAILED";
        var status = code is "TABLE_HAS_OPEN_ORDER" or "TABLE_SECTION_HAS_TABLES"
            ? StatusCodes.Status409Conflict
            : StatusCodes.Status400BadRequest;
        return StatusCode(status,
            new ApiResponse<object>(false, null, new ApiError(code, result.Message ?? code)));
    }

}
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`using FluentValidation;`
			`using Microsoft.AspNetCore.Mvc;`
			`using Meezi.API.Models.Tables;`
			`using Meezi.API.Services;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`using Meezi.Core.Authorization;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`using Meezi.Core.Enums;`
			`using Meezi.Core.Interfaces;`
			`using Meezi.Shared;`

			`namespace Meezi.API.Controllers;`

			`[Route("api/cafes/{cafeId}/branches/{branchId}/tables")]`
			`public class BranchTablesController : CafeApiControllerBase`
			`{`
			`private readonly ITableService _tables;`
			`private readonly IValidator<CreateBranchTableRequest> _createTableValidator;`
			`private readonly IValidator<PatchBranchTableRequest> _patchTableValidator;`
			`private readonly IValidator<CreateTableSectionRequest> _createSectionValidator;`
			`private readonly IValidator<PatchTableSectionRequest> _patchSectionValidator;`
			`private readonly IValidator<SetTableCleaningRequest> _cleaningValidator;`

			`public BranchTablesController(`
			`ITableService tables,`
			`IValidator<CreateBranchTableRequest> createTableValidator,`
			`IValidator<PatchBranchTableRequest> patchTableValidator,`
			`IValidator<CreateTableSectionRequest> createSectionValidator,`
			`IValidator<PatchTableSectionRequest> patchSectionValidator,`
			`IValidator<SetTableCleaningRequest> cleaningValidator)`
			`{`
			`_tables = tables;`
			`_createTableValidator = createTableValidator;`
			`_patchTableValidator = patchTableValidator;`
			`_createSectionValidator = createSectionValidator;`
			`_patchSectionValidator = patchSectionValidator;`
			`_cleaningValidator = cleaningValidator;`
			`}`

			`[HttpGet("board")]`
			`public async Task<IActionResult> GetBoard(`
			`string cafeId,`
			`string branchId,`
			`ITenantContext tenant,`
			`[FromQuery] bool activeOnly = true,`
			`CancellationToken ct = default)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var data = await _tables.GetBranchTableBoardAsync(cafeId, branchId, activeOnly, ct);`
			`return Ok(new ApiResponse<IReadOnlyList<TableBoardDto>>(true, data));`
			`}`

			`[HttpGet]`
			`public async Task<IActionResult> GetTables(`
			`string cafeId,`
			`string branchId,`
			`ITenantContext tenant,`
			`CancellationToken ct = default)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var data = await _tables.GetBranchTablesAsync(cafeId, branchId, ct);`
			`if (data is null) return NotFoundError("Branch not found.");`
			`return Ok(new ApiResponse<IReadOnlyList<TableDto>>(true, data));`
			`}`

			`[HttpPost]`
			`public async Task<IActionResult> CreateTable(`
			`string cafeId,`
			`string branchId,`
			`[FromBody] CreateBranchTableRequest request,`
			`ITenantContext tenant,`
			`CancellationToken ct)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var validation = await _createTableValidator.ValidateAsync(request, ct);`
			`if (!validation.IsValid) return BadRequest(ValidationError(validation));`

			`var result = await _tables.CreateBranchTableAsync(cafeId, branchId, request, ct);`
			`return BranchOpResult(result);`
			`}`

			`[HttpPatch("{id}")]`
			`public async Task<IActionResult> PatchTable(`
			`string cafeId,`
			`string branchId,`
			`string id,`
			`[FromBody] PatchBranchTableRequest request,`
			`ITenantContext tenant,`
			`CancellationToken ct)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var validation = await _patchTableValidator.ValidateAsync(request, ct);`
			`if (!validation.IsValid) return BadRequest(ValidationError(validation));`

			`var result = await _tables.PatchBranchTableAsync(cafeId, branchId, id, request, ct);`
			`return BranchOpResult(result);`
			`}`

			`[HttpDelete("{id}")]`
			`public async Task<IActionResult> DeleteTable(`
			`string cafeId,`
			`string branchId,`
			`string id,`
			`ITenantContext tenant,`
			`CancellationToken ct)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var result = await _tables.DeleteBranchTableAsync(cafeId, branchId, id, ct);`
			`return BranchOpResult(result);`
			`}`

			`[HttpPatch("{id}/cleaning")]`
			`public async Task<IActionResult> SetCleaning(`
			`string cafeId,`
			`string branchId,`
			`string id,`
			`[FromBody] SetTableCleaningRequest request,`
			`ITenantContext tenant,`
			`CancellationToken ct)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var validation = await _cleaningValidator.ValidateAsync(request, ct);`
			`if (!validation.IsValid) return BadRequest(ValidationError(validation));`

			`var data = await _tables.SetTableCleaningAsync(cafeId, id, request.IsCleaning, ct);`
			`if (data is null \|\| data.BranchId != branchId) return NotFoundError();`
			`return Ok(new ApiResponse<TableBoardDto>(true, data));`
			`}`

			`[HttpGet("{id}/qr")]`
			`public async Task<IActionResult> GetQrPng(`
			`string cafeId,`
			`string branchId,`
			`string id,`
			`ITenantContext tenant,`
			`CancellationToken ct)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var png = await _tables.GetQrPngAsync(cafeId, id, ct);`
			`if (png is null) return NotFoundError();`
			`return File(png, "image/png", $"table-{id}-qr.png");`
			`}`

			`[HttpGet("sections")]`
			`public async Task<IActionResult> GetSections(`
			`string cafeId,`
			`string branchId,`
			`ITenantContext tenant,`
			`CancellationToken ct = default)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var data = await _tables.GetBranchSectionsAsync(cafeId, branchId, ct);`
			`if (data is null) return NotFoundError("Branch not found.");`
			`return Ok(new ApiResponse<IReadOnlyList<TableSectionDto>>(true, data));`
			`}`

			`[HttpPost("sections")]`
			`public async Task<IActionResult> CreateSection(`
			`string cafeId,`
			`string branchId,`
			`[FromBody] CreateTableSectionRequest request,`
			`ITenantContext tenant,`
			`CancellationToken ct = default)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var validation = await _createSectionValidator.ValidateAsync(request, ct);`
			`if (!validation.IsValid) return BadRequest(ValidationError(validation));`

			`var result = await _tables.CreateBranchSectionAsync(cafeId, branchId, request, ct);`
			`return BranchOpResult(result);`
			`}`

			`[HttpPatch("sections/{sectionId}")]`
			`public async Task<IActionResult> PatchSection(`
			`string cafeId,`
			`string branchId,`
			`string sectionId,`
			`[FromBody] PatchTableSectionRequest request,`
			`ITenantContext tenant,`
			`CancellationToken ct = default)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var validation = await _patchSectionValidator.ValidateAsync(request, ct);`
			`if (!validation.IsValid) return BadRequest(ValidationError(validation));`

			`var result = await _tables.PatchBranchSectionAsync(cafeId, branchId, sectionId, request, ct);`
			`return BranchOpResult(result);`
			`}`

			`[HttpDelete("sections/{sectionId}")]`
			`public async Task<IActionResult> DeleteSection(`
			`string cafeId,`
			`string branchId,`
			`string sectionId,`
			`ITenantContext tenant,`
			`CancellationToken ct = default)`
			`{`
			`if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;`
feat(rbac): enforce permissions on every café write endpoint 2026-06-21 05:43:07 +03:30			`if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))`
			`return Forbid();`

			`var result = await _tables.DeleteBranchSectionAsync(cafeId, branchId, sectionId, ct);`
			`return BranchOpResult(result);`
			`}`

			`private IActionResult BranchOpResult<T>(BranchTableOperationResult<T> result)`
			`{`
			`if (result.Success && result.Data is not null)`
			`return Ok(new ApiResponse<T>(true, result.Data));`

			`var code = result.ErrorCode ?? "REQUEST_FAILED";`
			`var status = code is "TABLE_HAS_OPEN_ORDER" or "TABLE_SECTION_HAS_TABLES"`
			`? StatusCodes.Status409Conflict`
			`: StatusCodes.Status400BadRequest;`
			`return StatusCode(status,`
			`new ApiResponse<object>(false, null, new ApiError(code, result.Message ?? code)));`
			`}`

			`}`