bug fix for atemschutz

backend/src/routes/events.routes.ts

@@ -0,0 +1,146 @@
+import { Router } from 'express';
+import eventsController from '../controllers/events.controller';
+import { authenticate, optionalAuth } from '../middleware/auth.middleware';
+import { requireGroups } from '../middleware/rbac.middleware';
+
+const router = Router();
+
+/** Groups that may create, update, or cancel events */
+const WRITE_GROUPS = ['dashboard_admin', 'dashboard_moderator'];
+
+// ---------------------------------------------------------------------------
+// Categories
+// ---------------------------------------------------------------------------
+
+/**
+ * GET /api/events/kategorien
+ * List all event categories. Any authenticated user can read.
+ */
+router.get('/kategorien', authenticate, eventsController.listKategorien.bind(eventsController));
+
+/**
+ * POST /api/events/kategorien
+ * Create a new category. Requires admin or moderator.
+ */
+router.post(
+  '/kategorien',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.createKategorie.bind(eventsController)
+);
+
+/**
+ * PATCH /api/events/kategorien/:id
+ * Update an existing category. Requires admin or moderator.
+ */
+router.patch(
+  '/kategorien/:id',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.updateKategorie.bind(eventsController)
+);
+
+/**
+ * DELETE /api/events/kategorien/:id
+ * Delete a category (only if no events reference it). Requires admin or moderator.
+ */
+router.delete(
+  '/kategorien/:id',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.deleteKategorie.bind(eventsController)
+);
+
+// ---------------------------------------------------------------------------
+// Known groups list (used by frontend to populate zielgruppen picker)
+// ---------------------------------------------------------------------------
+
+/**
+ * GET /api/events/groups
+ * Returns the list of known Authentik groups with human-readable labels.
+ */
+router.get('/groups', authenticate, eventsController.getAvailableGroups.bind(eventsController));
+
+// ---------------------------------------------------------------------------
+// Calendar & upcoming — specific routes must come before /:id
+// ---------------------------------------------------------------------------
+
+/**
+ * GET /api/events/calendar?from=<ISO>&to=<ISO>
+ * Events in a date range, filtered by the requesting user's groups.
+ * Optional auth — unauthenticated callers only see alle_gruppen events.
+ */
+router.get('/calendar', optionalAuth, eventsController.getCalendarRange.bind(eventsController));
+
+/**
+ * GET /api/events/upcoming?limit=10
+ * Next N upcoming events visible to the requesting user.
+ */
+router.get('/upcoming', optionalAuth, eventsController.getUpcoming.bind(eventsController));
+
+/**
+ * GET /api/events/calendar-token
+ * Returns (or creates) the user's personal iCal subscribe token + URL.
+ * Requires authentication.
+ */
+router.get(
+  '/calendar-token',
+  authenticate,
+  eventsController.getCalendarToken.bind(eventsController)
+);
+
+/**
+ * GET /api/events/calendar.ics?token=<token>
+ * iCal feed — authenticated via per-user opaque token.
+ * No Bearer token required; calendar clients use the token query param.
+ */
+router.get(
+  '/calendar.ics',
+  optionalAuth,
+  eventsController.getIcalExport.bind(eventsController)
+);
+
+// ---------------------------------------------------------------------------
+// Events CRUD
+// ---------------------------------------------------------------------------
+
+/**
+ * POST /api/events
+ * Create a new event. Requires admin or moderator.
+ */
+router.post(
+  '/',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.createEvent.bind(eventsController)
+);
+
+/**
+ * GET /api/events/:id
+ * Single event detail. Any authenticated user.
+ */
+router.get('/:id', authenticate, eventsController.getById.bind(eventsController));
+
+/**
+ * PATCH /api/events/:id
+ * Update an existing event. Requires admin or moderator.
+ */
+router.patch(
+  '/:id',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.updateEvent.bind(eventsController)
+);
+
+/**
+ * DELETE /api/events/:id
+ * Soft-cancel an event (sets abgesagt=TRUE + reason). Requires admin or moderator.
+ */
+router.delete(
+  '/:id',
+  authenticate,
+  requireGroups(WRITE_GROUPS),
+  eventsController.cancelEvent.bind(eventsController)
+);
+
+export default router;