soroushdes/meezi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2a24798a59ef473d82a36b2857d9bec9e5f3f070
meezi/src/Meezi.API/Controllers/ReservationsController.cs
T
soroush.asadi 7a5ea75b50
CI/CD / CI · API (dotnet build + test) (push) Successful in 40s
Details
CI/CD / CI · Admin API (dotnet build) (push) Successful in 30s
Details
CI/CD / CI · Dashboard (tsc) (push) Successful in 1m9s
Details
CI/CD / CI · Admin Web (tsc) (push) Successful in 37s
Details
CI/CD / CI · Website (tsc) (push) Successful in 45s
Details
CI/CD / CI · Koja (tsc) (push) Has been cancelled
Details
CI/CD / Deploy · all services (push) Has been cancelled
Details
feat(rbac): enforce permissions on every café write endpoint 
Closes the gap where the custom-role matrix was defined but unenforced — most
write endpoints only checked café membership, so the API would accept writes a
role's UI hid. Adds EnsurePermission(...) to all mutating/sensitive endpoints
across 32 controllers, mapped to the granular catalog:

- menu/inventory/coupons/customers/expenses/reservations/taxes/branches → CRUD perms
- tables/queue/kitchen-stations/print-settings → manage perms
- orders → ProcessOrders / EditOrder / VoidOrder / UpdateOrderStatus / HandlePayments,
  payment corrections → ManageFinancials
- HR → CreateStaff / ManageSchedules / ReviewLeave / View+ManageSalaries /
  ManageStaffCredentials (self-service clock-in/leave preserved)
- reports → ViewReports, export → ExportReports, audit → ViewAuditLog
- billing → ManageBilling, sms → SendSms/ManageSmsSettings, reviews → ManageReviews,
  discover/public profile → ManageDiscoverProfile, café settings → ManageCafeSettings,
  custom roles → ManageRoles

Removes legacy [Authorize(Roles=...)] attributes that would have overridden the
permission model (orders, branch-menu, pos-device, print). Manual discount/comp
have no backend endpoint yet (discounts come from coupons) — gated on the POS UI.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 05:43:07 +03:30

89 lines
3.2 KiB
C#
Raw Blame History

using FluentValidation;
using Microsoft.AspNetCore.Mvc;
using Meezi.API.Models.Public;
using Meezi.API.Services;
using Meezi.Core.Authorization;
using Meezi.Core.Enums;
using Meezi.Core.Interfaces;
using Meezi.Shared;
namespace Meezi.API.Controllers;
[Route("api/cafes/{cafeId}/reservations")]
public class ReservationsController : CafeApiControllerBase
{
private readonly IReservationService _reservations;
private readonly IValidator<CreateReservationRequest> _createValidator;
public ReservationsController(
IReservationService reservations,
IValidator<CreateReservationRequest> createValidator)
{
_reservations = reservations;
_createValidator = createValidator;
}
[HttpPost]
public async Task<IActionResult> Create(
string cafeId,
[FromBody] CreateReservationRequest request,
ITenantContext tenant,
CancellationToken ct)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.CreateReservation) is { } permDenied) return permDenied;
var validation = await _createValidator.ValidateAsync(request, ct);
if (!validation.IsValid) return BadRequest(ValidationError(validation));
var data = await _reservations.CreateAsync(cafeId, request, ct);
if (data is null)
return BadRequest(new ApiResponse<object>(false, null, new ApiError("INVALID_TABLE", "Table not found.")));
return Ok(new ApiResponse<ReservationDto>(true, data));
}
[HttpGet]
public async Task<IActionResult> List(
string cafeId,
ITenantContext tenant,
[FromQuery] DateOnly? date,
[FromQuery] ReservationStatus? status,
CancellationToken ct)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
var data = await _reservations.GetReservationsAsync(cafeId, date, status, ct);
return Ok(new ApiResponse<IReadOnlyList<ReservationDto>>(true, data));
}
[HttpPatch("{id}/status")]
public async Task<IActionResult> UpdateStatus(
string cafeId,
string id,
[FromBody] UpdateReservationStatusRequest request,
ITenantContext tenant,
CancellationToken ct)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.EditReservation) is { } permDenied) return permDenied;
var data = await _reservations.UpdateStatusAsync(cafeId, id, request.Status, ct);
if (data is null) return NotFoundError();
return Ok(new ApiResponse<ReservationDto>(true, data));
}
[HttpDelete("{id}")]
public async Task<IActionResult> Delete(
string cafeId,
string id,
ITenantContext tenant,
CancellationToken ct)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.DeleteReservation) is { } permDenied) return permDenied;
var deleted = await _reservations.DeleteAsync(cafeId, id, ct);
if (!deleted) return NotFoundError();
return Ok(new ApiResponse<object>(true, new { id }));
}
}
public record UpdateReservationStatusRequest(ReservationStatus Status);
Reference in New Issue View Git Blame Copy Permalink