add features
This commit is contained in:
Matthias Hochmeister
147
backend/src/routes/vehicle.routes.ts
Normal file
147
backend/src/routes/vehicle.routes.ts
Normal file
@@ -0,0 +1,147 @@
|
||||
import { Router } from 'express';
|
||||
import vehicleController from '../controllers/vehicle.controller';
|
||||
import { authenticate } from '../middleware/auth.middleware';
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// RBAC guard — requirePermission('vehicles:write')
|
||||
// ---------------------------------------------------------------------------
|
||||
// Tier 1 will deliver a full RBAC middleware. Until then, this inline guard
|
||||
// enforces that only admin/kommandant/gruppenfuehrer roles can mutate vehicle
|
||||
// data. The role is expected on req.user once Tier 1 is complete.
|
||||
// For now it uses a conservative allowlist that can be updated via Tier 1 RBAC.
|
||||
// ---------------------------------------------------------------------------
|
||||
import { Request, Response, NextFunction } from 'express';
|
||||
|
||||
/** Roles that are allowed to write vehicle data */
|
||||
const WRITE_ROLES = new Set(['admin', 'kommandant', 'gruppenfuehrer']);
|
||||
|
||||
/**
|
||||
* requirePermission guard — temporary inline implementation.
|
||||
* Replace with the Tier 1 RBAC middleware when available:
|
||||
* import { requirePermission } from '../middleware/rbac.middleware';
|
||||
*/
|
||||
const requireVehicleWrite = (
|
||||
req: Request,
|
||||
res: Response,
|
||||
next: NextFunction
|
||||
): void => {
|
||||
// Once Tier 1 RBAC is merged, replace the body with:
|
||||
// return requirePermission('vehicles:write')(req, res, next);
|
||||
//
|
||||
// Temporary implementation: check the role field on the JWT payload.
|
||||
// The role is stored in req.user once authenticate() has run (Tier 1 adds it).
|
||||
const role = (req.user as any)?.role as string | undefined;
|
||||
|
||||
if (!role || !WRITE_ROLES.has(role)) {
|
||||
res.status(403).json({
|
||||
success: false,
|
||||
message: 'Keine Berechtigung für diese Aktion (vehicles:write erforderlich)',
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
next();
|
||||
};
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
const router = Router();
|
||||
|
||||
// ── Read-only endpoints (any authenticated user) ──────────────────────────────
|
||||
|
||||
/**
|
||||
* GET /api/vehicles
|
||||
* Fleet overview list — inspection badges included.
|
||||
*/
|
||||
router.get('/', authenticate, vehicleController.listVehicles.bind(vehicleController));
|
||||
|
||||
/**
|
||||
* GET /api/vehicles/stats
|
||||
* Dashboard KPI aggregates.
|
||||
* NOTE: /stats and /alerts must be declared BEFORE /:id to avoid route conflicts.
|
||||
*/
|
||||
router.get('/stats', authenticate, vehicleController.getStats.bind(vehicleController));
|
||||
|
||||
/**
|
||||
* GET /api/vehicles/alerts?daysAhead=30
|
||||
* Upcoming and overdue inspections for the dashboard alert panel.
|
||||
*/
|
||||
router.get('/alerts', authenticate, vehicleController.getAlerts.bind(vehicleController));
|
||||
|
||||
/**
|
||||
* GET /api/vehicles/:id
|
||||
* Full vehicle detail with inspection history and maintenance log.
|
||||
*/
|
||||
router.get('/:id', authenticate, vehicleController.getVehicle.bind(vehicleController));
|
||||
|
||||
/**
|
||||
* GET /api/vehicles/:id/pruefungen
|
||||
* Inspection history for a single vehicle.
|
||||
*/
|
||||
router.get('/:id/pruefungen', authenticate, vehicleController.getPruefungen.bind(vehicleController));
|
||||
|
||||
/**
|
||||
* GET /api/vehicles/:id/wartung
|
||||
* Maintenance log for a single vehicle.
|
||||
*/
|
||||
router.get('/:id/wartung', authenticate, vehicleController.getWartung.bind(vehicleController));
|
||||
|
||||
// ── Write endpoints (vehicles:write role required) ─────────────────────────────
|
||||
|
||||
/**
|
||||
* POST /api/vehicles
|
||||
* Create a new vehicle.
|
||||
*/
|
||||
router.post(
|
||||
'/',
|
||||
authenticate,
|
||||
requireVehicleWrite,
|
||||
vehicleController.createVehicle.bind(vehicleController)
|
||||
);
|
||||
|
||||
/**
|
||||
* PATCH /api/vehicles/:id
|
||||
* Update vehicle fields.
|
||||
*/
|
||||
router.patch(
|
||||
'/:id',
|
||||
authenticate,
|
||||
requireVehicleWrite,
|
||||
vehicleController.updateVehicle.bind(vehicleController)
|
||||
);
|
||||
|
||||
/**
|
||||
* PATCH /api/vehicles/:id/status
|
||||
* Live status change — Socket.IO hook point for Tier 3.
|
||||
* The `io` instance is retrieved inside the controller via req.app.get('io').
|
||||
*/
|
||||
router.patch(
|
||||
'/:id/status',
|
||||
authenticate,
|
||||
requireVehicleWrite,
|
||||
vehicleController.updateVehicleStatus.bind(vehicleController)
|
||||
);
|
||||
|
||||
/**
|
||||
* POST /api/vehicles/:id/pruefungen
|
||||
* Record an inspection (scheduled or completed).
|
||||
*/
|
||||
router.post(
|
||||
'/:id/pruefungen',
|
||||
authenticate,
|
||||
requireVehicleWrite,
|
||||
vehicleController.addPruefung.bind(vehicleController)
|
||||
);
|
||||
|
||||
/**
|
||||
* POST /api/vehicles/:id/wartung
|
||||
* Add a maintenance log entry.
|
||||
*/
|
||||
router.post(
|
||||
'/:id/wartung',
|
||||
authenticate,
|
||||
requireVehicleWrite,
|
||||
vehicleController.addWartung.bind(vehicleController)
|
||||
);
|
||||
|
||||
export default router;
|
||||
Reference in New Issue
Block a user