einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-06-11 02:50:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(api): authenticated course & course-event write endpoints

Browse Source 
Implements Sanctum-authenticated write endpoints so a lecturer can create
and update their own courses and dated course events programmatically
(e.g. to keep the portal's course events in sync with an external system).

- CourseController@store / @update implemented (validation mirrors the
  Livewire course create form; create requires is_lecturer, update is
  restricted to the owner or a super-admin).
- New CourseEventController with index/store/update. index returns only the
  authenticated user's own events (optional ?course_id= filter) for
  idempotent syncing; validation mirrors the Livewire course event form.
- Public `courses` API resource narrowed to index/show; all writes moved
  behind an `auth:sanctum` route group (the previous store/update/destroy
  actions were empty no-ops).
- Pest feature test covering auth (401), authorization (403/is_lecturer/
  ownership), creation (201), validation (422) and ownership-scoped listing.

Ported from Einundzwanzig-Podcast/einundzwanzig-portal#25, adapted to this
repo's conventions (inline authorization instead of policies, Pest tests,
validation mirroring the current Livewire forms) while keeping the same
endpoint outputs.

Co-authored-by: schnuartz-ai <schnuartz@gmail.com>
This commit is contained in:
HolgerHatGarKeineNode
2026-06-07 22:14:29 +02:00
parent 3a8775fa52
commit a3062f6c4e
4 changed files with 298 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/Api/CourseController.php
+52 -21
View File
@@ -6,7 +6,9 @@ use App\Http\Controllers\Controller;
use App\Models\Course;
use App\Models\Lecturer;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class CourseController extends Controller
{
@@ -16,36 +18,50 @@ class CourseController extends Controller
public function index(Request $request)
{
return Course::query()
->select('id', 'name', )
->orderBy('name')
->when($request->has('user_id'),
fn(Builder $query) => $query->where('created_by', $request->user_id))
->when(
->select('id', 'name')
->orderBy('name')
->when($request->has('user_id'),
fn (Builder $query) => $query->where('created_by', $request->user_id))
->when(
$request->search,
fn (Builder $query) => $query
->where('name', 'ilike', "%{$request->search}%")
)
->when(
$request->exists('selected'),
fn (Builder $query) => $query->whereIn('id',
$request->input('selected', [])),
fn (Builder $query) => $query->limit(10)
)
->get()
->map(function (Course $course) {
$course->image = $course->getFirstMediaUrl('logo',
'thumb');
->when(
$request->exists('selected'),
fn (Builder $query) => $query->whereIn('id',
$request->input('selected', [])),
fn (Builder $query) => $query->limit(10)
)
->get()
->map(function (Course $course) {
$course->image = $course->getFirstMediaUrl('logo',
'thumb');
return $course;
});
return $course;
});
}
/**
* Store a newly created resource in storage.
*
* Allows an authenticated lecturer to create a course programmatically
* (e.g. to sync courses from an external system). Validation mirrors the
* Livewire course create form; `created_by` is set by the model's creating hook.
*/
public function store(Request $request)
public function store(Request $request): JsonResponse
{
//
abort_unless((bool) $request->user()->is_lecturer, Response::HTTP_FORBIDDEN);
$validated = $request->validate([
'name' => ['required', 'string', 'max:255'],
'lecturer_id' => ['required', 'exists:lecturers,id'],
'description' => ['nullable', 'string'],
]);
$course = Course::create($validated);
return response()->json($course->fresh(), Response::HTTP_CREATED);
}
/**
@@ -58,10 +74,25 @@ class CourseController extends Controller
/**
* Update the specified resource in storage.
*
* Authorized for the course owner (or a super-admin).
*/
public function update(Request $request, Course $course)
public function update(Request $request, Course $course): JsonResponse
{
//
abort_unless(
(int) $course->created_by === $request->user()->id || $request->user()->hasRole('super-admin'),
Response::HTTP_FORBIDDEN
);
$validated = $request->validate([
'name' => ['sometimes', 'required', 'string', 'max:255'],
'lecturer_id' => ['sometimes', 'required', 'exists:lecturers,id'],
'description' => ['sometimes', 'nullable', 'string'],
]);
$course->update($validated);
return response()->json($course->fresh());
}
/**
app/Http/Controllers/Api/CourseEventController.php
+84
View File
@@ -0,0 +1,84 @@
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Models\CourseEvent;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Eloquent\Collection;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class CourseEventController extends Controller
{
/**
* Display a listing of the course events created by the authenticated user.
*
* Useful for an external sync client to detect which events already exist
* (idempotent syncing). Optionally filtered by course_id.
*
* @return Collection<int, CourseEvent>
*/
public function index(Request $request): Collection
{
return CourseEvent::query()
->with(['course:id,name', 'venue:id,name'])
->where('created_by', $request->user()->id)
->when(
$request->filled('course_id'),
fn (Builder $query) => $query->where('course_id', $request->integer('course_id'))
)
->orderByDesc('from')
->get();
}
/**
* Store a newly created course event in storage.
*
* Allows an authenticated lecturer to create a dated course event
* programmatically. Validation mirrors the Livewire course event form;
* `created_by` is set by the model's creating hook.
*/
public function store(Request $request): JsonResponse
{
abort_unless((bool) $request->user()->is_lecturer, Response::HTTP_FORBIDDEN);
$validated = $request->validate([
'course_id' => ['required', 'integer', 'exists:courses,id'],
'venue_id' => ['required', 'integer', 'exists:venues,id'],
'from' => ['required', 'date'],
'to' => ['required', 'date', 'after_or_equal:from'],
'link' => ['required', 'url', 'max:255'],
]);
$courseEvent = CourseEvent::create($validated);
return response()->json($courseEvent->fresh(), Response::HTTP_CREATED);
}
/**
* Update the specified course event in storage.
*
* Authorized for the course event owner (or a super-admin).
*/
public function update(Request $request, CourseEvent $courseEvent): JsonResponse
{
abort_unless(
(int) $courseEvent->created_by === $request->user()->id || $request->user()->hasRole('super-admin'),
Response::HTTP_FORBIDDEN
);
$validated = $request->validate([
'course_id' => ['sometimes', 'required', 'integer', 'exists:courses,id'],
'venue_id' => ['sometimes', 'required', 'integer', 'exists:venues,id'],
'from' => ['sometimes', 'required', 'date'],
'to' => ['sometimes', 'required', 'date', 'after_or_equal:from'],
'link' => ['sometimes', 'required', 'url', 'max:255'],
]);
$courseEvent->update($validated);
return response()->json($courseEvent->fresh());
}
}