Phase 3: Budget and sharing API
- Add BudgetsController: list (owner + shared), create, get, rename, delete - Add BudgetAuthorizationService: Owner / Edit / View / None access levels - Add SharesController: list, add (resolves KnownUser immediately), update permission, revoke - Register BudgetAuthorizationService as scoped service - Add BudgetDto, ShareDto, and associated request DTOs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Spencer Twaddle
@@ -0,0 +1,79 @@
|
||||
using Budget.Api.Data;
|
||||
using Budget.Api.DTOs;
|
||||
using Budget.Api.Models;
|
||||
using Budget.Api.Services;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
|
||||
namespace Budget.Api.Controllers;
|
||||
|
||||
[ApiController]
|
||||
[Route("api/[controller]")]
|
||||
[Authorize]
|
||||
public class BudgetsController(AppDbContext db, BudgetAuthorizationService authz) : ControllerBase
|
||||
{
|
||||
private string UserId => User.FindFirst("sub")!.Value;
|
||||
|
||||
[HttpGet]
|
||||
public async Task<IActionResult> List()
|
||||
{
|
||||
var userId = UserId;
|
||||
var budgets = await db.Budgets
|
||||
.Where(b => b.OwnerUserId == userId ||
|
||||
b.Shares.Any(s => s.SharedWithUserId == userId && !s.IsPending))
|
||||
.Select(b => new BudgetDto(b.Id, b.Name, b.OwnerUserId, b.EffectiveTaxRate, b.CreatedAt, b.UpdatedAt))
|
||||
.ToListAsync();
|
||||
|
||||
return Ok(budgets);
|
||||
}
|
||||
|
||||
[HttpPost]
|
||||
public async Task<IActionResult> Create([FromBody] CreateBudgetRequest req)
|
||||
{
|
||||
var budget = new Models.Budget
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
Name = req.Name,
|
||||
OwnerUserId = UserId,
|
||||
CreatedAt = DateTimeOffset.UtcNow,
|
||||
UpdatedAt = DateTimeOffset.UtcNow,
|
||||
};
|
||||
db.Budgets.Add(budget);
|
||||
await db.SaveChangesAsync();
|
||||
return CreatedAtAction(nameof(Get), new { id = budget.Id },
|
||||
new BudgetDto(budget.Id, budget.Name, budget.OwnerUserId, budget.EffectiveTaxRate, budget.CreatedAt, budget.UpdatedAt));
|
||||
}
|
||||
|
||||
[HttpGet("{id:guid}")]
|
||||
public async Task<IActionResult> Get(Guid id)
|
||||
{
|
||||
if (!await authz.CanReadAsync(id, UserId)) return Forbid();
|
||||
var b = await db.Budgets.FindAsync(id);
|
||||
if (b is null) return NotFound();
|
||||
return Ok(new BudgetDto(b.Id, b.Name, b.OwnerUserId, b.EffectiveTaxRate, b.CreatedAt, b.UpdatedAt));
|
||||
}
|
||||
|
||||
[HttpPut("{id:guid}")]
|
||||
public async Task<IActionResult> Update(Guid id, [FromBody] UpdateBudgetRequest req)
|
||||
{
|
||||
if (!await authz.CanWriteAsync(id, UserId)) return Forbid();
|
||||
var b = await db.Budgets.FindAsync(id);
|
||||
if (b is null) return NotFound();
|
||||
b.Name = req.Name;
|
||||
b.UpdatedAt = DateTimeOffset.UtcNow;
|
||||
await db.SaveChangesAsync();
|
||||
return Ok(new BudgetDto(b.Id, b.Name, b.OwnerUserId, b.EffectiveTaxRate, b.CreatedAt, b.UpdatedAt));
|
||||
}
|
||||
|
||||
[HttpDelete("{id:guid}")]
|
||||
public async Task<IActionResult> Delete(Guid id)
|
||||
{
|
||||
if (!await authz.IsOwnerAsync(id, UserId)) return Forbid();
|
||||
var b = await db.Budgets.FindAsync(id);
|
||||
if (b is null) return NotFound();
|
||||
db.Budgets.Remove(b);
|
||||
await db.SaveChangesAsync();
|
||||
return NoContent();
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user