bug fix for atemschutz

backend/src/routes/booking.routes.ts

@@ -0,0 +1,37 @@
+import { Router } from 'express';
+import bookingController from '../controllers/booking.controller';
+import { authenticate, optionalAuth } from '../middleware/auth.middleware';
+import { requireGroups } from '../middleware/rbac.middleware';
+
+const WRITE_GROUPS = ['dashboard_admin', 'dashboard_fahrmeister', 'dashboard_moderator'];
+const ADMIN_GROUPS = ['dashboard_admin'];
+
+const router = Router();
+
+// ── Public (token-based, no session auth required) ───────────────────────────
+
+router.get('/calendar.ics', optionalAuth, bookingController.getIcalExport.bind(bookingController));
+
+// ── Read-only (all authenticated users) ──────────────────────────────────────
+
+router.get('/calendar',       authenticate, bookingController.getCalendarRange.bind(bookingController));
+router.get('/upcoming',       authenticate, bookingController.getUpcoming.bind(bookingController));
+router.get('/availability',   authenticate, bookingController.checkAvailability.bind(bookingController));
+router.get('/calendar-token', authenticate, bookingController.getCalendarToken.bind(bookingController));
+
+// ── Write operations ──────────────────────────────────────────────────────────
+
+router.post('/',     authenticate, requireGroups(WRITE_GROUPS), bookingController.create.bind(bookingController));
+router.patch('/:id', authenticate, requireGroups(WRITE_GROUPS), bookingController.update.bind(bookingController));
+
+// Soft-cancel (sets abgesagt=TRUE)
+router.delete('/:id',       authenticate, requireGroups(WRITE_GROUPS), bookingController.cancel.bind(bookingController));
+
+// Hard-delete (admin only)
+router.delete('/:id/force', authenticate, requireGroups(ADMIN_GROUPS), bookingController.hardDelete.bind(bookingController));
+
+// ── Single booking read — after specific routes to avoid path conflicts ───────
+
+router.get('/:id', authenticate, bookingController.getById.bind(bookingController));
+
+export default router;

backend/src/routes/events.routes.ts

@@ -0,0 +1,146 @@
+import { Router } from 'express';
+import eventsController from '../controllers/events.controller';
+import { authenticate, optionalAuth } from '../middleware/auth.middleware';
+import { requireGroups } from '../middleware/rbac.middleware';
+
+const router = Router();
+
+/** Groups that may create, update, or cancel events */
+const WRITE_GROUPS = ['dashboard_admin', 'dashboard_moderator'];
+
+// ---------------------------------------------------------------------------
+// Categories
+// ---------------------------------------------------------------------------
+
+/**
+ * GET /api/events/kategorien
+ * List all event categories. Any authenticated user can read.
+ */
+router.get('/kategorien', authenticate, eventsController.listKategorien.bind(eventsController));
+
+/**
+ * POST /api/events/kategorien
+ * Create a new category. Requires admin or moderator.
+ */
+router.post(
+  '/kategorien',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.createKategorie.bind(eventsController)
+);
+
+/**
+ * PATCH /api/events/kategorien/:id
+ * Update an existing category. Requires admin or moderator.
+ */
+router.patch(
+  '/kategorien/:id',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.updateKategorie.bind(eventsController)
+);
+
+/**
+ * DELETE /api/events/kategorien/:id
+ * Delete a category (only if no events reference it). Requires admin or moderator.
+ */
+router.delete(
+  '/kategorien/:id',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.deleteKategorie.bind(eventsController)
+);
+
+// ---------------------------------------------------------------------------
+// Known groups list (used by frontend to populate zielgruppen picker)
+// ---------------------------------------------------------------------------
+
+/**
+ * GET /api/events/groups
+ * Returns the list of known Authentik groups with human-readable labels.
+ */
+router.get('/groups', authenticate, eventsController.getAvailableGroups.bind(eventsController));
+
+// ---------------------------------------------------------------------------
+// Calendar & upcoming — specific routes must come before /:id
+// ---------------------------------------------------------------------------
+
+/**
+ * GET /api/events/calendar?from=<ISO>&to=<ISO>
+ * Events in a date range, filtered by the requesting user's groups.
+ * Optional auth — unauthenticated callers only see alle_gruppen events.
+ */
+router.get('/calendar', optionalAuth, eventsController.getCalendarRange.bind(eventsController));
+
+/**
+ * GET /api/events/upcoming?limit=10
+ * Next N upcoming events visible to the requesting user.
+ */
+router.get('/upcoming', optionalAuth, eventsController.getUpcoming.bind(eventsController));
+
+/**
+ * GET /api/events/calendar-token
+ * Returns (or creates) the user's personal iCal subscribe token + URL.
+ * Requires authentication.
+ */
+router.get(
+  '/calendar-token',
+  authenticate,
+  eventsController.getCalendarToken.bind(eventsController)
+);
+
+/**
+ * GET /api/events/calendar.ics?token=<token>
+ * iCal feed — authenticated via per-user opaque token.
+ * No Bearer token required; calendar clients use the token query param.
+ */
+router.get(
+  '/calendar.ics',
+  optionalAuth,
+  eventsController.getIcalExport.bind(eventsController)
+);
+
+// ---------------------------------------------------------------------------
+// Events CRUD
+// ---------------------------------------------------------------------------
+
+/**
+ * POST /api/events
+ * Create a new event. Requires admin or moderator.
+ */
+router.post(
+  '/',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.createEvent.bind(eventsController)
+);
+
+/**
+ * GET /api/events/:id
+ * Single event detail. Any authenticated user.
+ */
+router.get('/:id', authenticate, eventsController.getById.bind(eventsController));
+
+/**
+ * PATCH /api/events/:id
+ * Update an existing event. Requires admin or moderator.
+ */
+router.patch(
+  '/:id',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.updateEvent.bind(eventsController)
+);
+
+/**
+ * DELETE /api/events/:id
+ * Soft-cancel an event (sets abgesagt=TRUE + reason). Requires admin or moderator.
+ */
+router.delete(
+  '/:id',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.cancelEvent.bind(eventsController)
+);
+
+export default router;