bug fix for atemschutz

backend/src/routes/booking.routes.ts

@@ -0,0 +1,37 @@
+import { Router } from 'express';
+import bookingController from '../controllers/booking.controller';
+import { authenticate, optionalAuth } from '../middleware/auth.middleware';
+import { requireGroups } from '../middleware/rbac.middleware';
+
+const WRITE_GROUPS = ['dashboard_admin', 'dashboard_fahrmeister', 'dashboard_moderator'];
+const ADMIN_GROUPS = ['dashboard_admin'];
+
+const router = Router();
+
+// ── Public (token-based, no session auth required) ───────────────────────────
+
+router.get('/calendar.ics', optionalAuth, bookingController.getIcalExport.bind(bookingController));
+
+// ── Read-only (all authenticated users) ──────────────────────────────────────
+
+router.get('/calendar',       authenticate, bookingController.getCalendarRange.bind(bookingController));
+router.get('/upcoming',       authenticate, bookingController.getUpcoming.bind(bookingController));
+router.get('/availability',   authenticate, bookingController.checkAvailability.bind(bookingController));
+router.get('/calendar-token', authenticate, bookingController.getCalendarToken.bind(bookingController));
+
+// ── Write operations ──────────────────────────────────────────────────────────
+
+router.post('/',     authenticate, requireGroups(WRITE_GROUPS), bookingController.create.bind(bookingController));
+router.patch('/:id', authenticate, requireGroups(WRITE_GROUPS), bookingController.update.bind(bookingController));
+
+// Soft-cancel (sets abgesagt=TRUE)
+router.delete('/:id',       authenticate, requireGroups(WRITE_GROUPS), bookingController.cancel.bind(bookingController));
+
+// Hard-delete (admin only)
+router.delete('/:id/force', authenticate, requireGroups(ADMIN_GROUPS), bookingController.hardDelete.bind(bookingController));
+
+// ── Single booking read — after specific routes to avoid path conflicts ───────
+
+router.get('/:id', authenticate, bookingController.getById.bind(bookingController));
+
+export default router;