Phase 3: Budget and sharing API

- Add BudgetsController: list (owner + shared), create, get, rename, delete - Add BudgetAuthorizationService: Owner / Edit / View / None access levels - Add SharesController: list, add (resolves KnownUser immediately), update permission, revoke - Register BudgetAuthorizationService as scoped service - Add BudgetDto, ShareDto, and associated request DTOs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 07:55:07 -05:00
parent ae21da6a81
commit 963e511287
6 changed files with 220 additions and 0 deletions
@@ -0,0 +1,75 @@
+using Budget.Api.Data;
+using Budget.Api.DTOs;
+using Budget.Api.Models;
+using Budget.Api.Services;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+
+namespace Budget.Api.Controllers;
+
+[ApiController]
+[Route("api/budgets/{budgetId:guid}/shares")]
+[Authorize]
+public class SharesController(AppDbContext db, BudgetAuthorizationService authz) : ControllerBase
+{
+    private string UserId => User.FindFirst("sub")!.Value;
+
+    [HttpGet]
+    public async Task<IActionResult> List(Guid budgetId)
+    {
+        if (!await authz.CanReadAsync(budgetId, UserId)) return Forbid();
+        var shares = await db.BudgetShares
+            .Where(s => s.BudgetId == budgetId)
+            .Select(s => new ShareDto(s.Id, s.SharedWithUserId, s.SharedWithEmail, s.Permission, s.IsPending, s.CreatedAt))
+            .ToListAsync();
+        return Ok(shares);
+    }
+
+    [HttpPost]
+    public async Task<IActionResult> Add(Guid budgetId, [FromBody] CreateShareRequest req)
+    {
+        if (!await authz.IsOwnerAsync(budgetId, UserId)) return Forbid();
+
+        var existing = await db.BudgetShares
+            .FirstOrDefaultAsync(s => s.BudgetId == budgetId && s.SharedWithEmail == req.Email);
+        if (existing is not null) return Conflict("A share for that email already exists.");
+
+        var knownUser = await db.KnownUsers.FirstOrDefaultAsync(u => u.Email == req.Email);
+        var share = new BudgetShare
+        {
+            Id = Guid.NewGuid(),
+            BudgetId = budgetId,
+            SharedWithEmail = req.Email,
+            SharedWithUserId = knownUser?.Id,
+            IsPending = knownUser is null,
+            Permission = req.Permission,
+            CreatedAt = DateTimeOffset.UtcNow,
+        };
+        db.BudgetShares.Add(share);
+        await db.SaveChangesAsync();
+        return Ok(new ShareDto(share.Id, share.SharedWithUserId, share.SharedWithEmail, share.Permission, share.IsPending, share.CreatedAt));
+    }
+
+    [HttpPut("{shareId:guid}")]
+    public async Task<IActionResult> Update(Guid budgetId, Guid shareId, [FromBody] UpdateShareRequest req)
+    {
+        if (!await authz.IsOwnerAsync(budgetId, UserId)) return Forbid();
+        var share = await db.BudgetShares.FirstOrDefaultAsync(s => s.Id == shareId && s.BudgetId == budgetId);
+        if (share is null) return NotFound();
+        share.Permission = req.Permission;
+        await db.SaveChangesAsync();
+        return Ok(new ShareDto(share.Id, share.SharedWithUserId, share.SharedWithEmail, share.Permission, share.IsPending, share.CreatedAt));
+    }
+
+    [HttpDelete("{shareId:guid}")]
+    public async Task<IActionResult> Revoke(Guid budgetId, Guid shareId)
+    {
+        if (!await authz.IsOwnerAsync(budgetId, UserId)) return Forbid();
+        var share = await db.BudgetShares.FirstOrDefaultAsync(s => s.Id == shareId && s.BudgetId == budgetId);
+        if (share is null) return NotFound();
+        db.BudgetShares.Remove(share);
+        await db.SaveChangesAsync();
+        return NoContent();
+    }
+}