fix: decduck's code review

server/api/v1/admin/news/[id]/index.get.ts

@@ -0,0 +1,27 @@
+import { defineEventHandler, createError } from "h3";
+import aclManager from "~/server/internal/acls";
+import newsManager from "~/server/internal/news";
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["news:read"]);
+  if (!allowed)
+    throw createError({
+      statusCode: 403,
+    });
+
+  const id = h3.context.params?.id;
+  if (!id)
+    throw createError({
+      statusCode: 400,
+      message: "Missing news ID",
+    });
+
+  const news = await newsManager.fetchById(id);
+  if (!news)
+    throw createError({
+      statusCode: 404,
+      message: "News article not found",
+    });
+
+  return news;
+});

server/api/v1/admin/news/index.get.ts

@@ -0,0 +1,36 @@
+import { defineEventHandler, getQuery } from "h3";
+import aclManager from "~/server/internal/acls";
+import newsManager from "~/server/internal/news";
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["news:read"]);
+  if (!allowed)
+    throw createError({
+      statusCode: 403,
+    });
+
+  const query = getQuery(h3);
+
+  const orderBy = query.order as "asc" | "desc";
+  if (orderBy) {
+    if (typeof orderBy !== "string" || !["asc", "desc"].includes(orderBy))
+      throw createError({ statusCode: 400, statusMessage: "Invalid order" });
+  }
+
+  const tags = query.tags as string[] | undefined;
+  if (tags) {
+    if (typeof tags !== "object" || !Array.isArray(tags))
+      throw createError({ statusCode: 400, statusMessage: "Invalid tags" });
+  }
+
+  const options = {
+    take: parseInt(query.limit as string),
+    skip: parseInt(query.skip as string),
+    orderBy: orderBy,
+    tags: tags?.map((e) => e.toString()),
+    search: query.search as string,
+  };
+
+  const news = await newsManager.fetch(options);
+  return news;
+});

server/api/v1/admin/news/index.post.ts

@@ -1,21 +1,20 @@
 import { defineEventHandler, createError, readBody } from "h3";
+import aclManager from "~/server/internal/acls";
 import newsManager from "~/server/internal/news";
 
-export default defineEventHandler(async (event) => {
-  const body = await readBody(event);
-  
-  if (!body.authorId) {
-    throw createError({
-      statusCode: 400,
-      message: 'Author ID is required'
-    });
-  }
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["news:create"]);
+  if (!allowed) throw createError({ statusCode: 403 });
+
+  const body = await readBody(h3);
 
   const article = await newsManager.create({
     title: body.title,
+    description: body.description,
     content: body.content,
-    excerpt: body.excerpt,
+
     tags: body.tags,
+
     image: body.image,
     authorId: body.authorId,
   });

server/api/v1/auth/signup/simple.post.ts

@@ -93,7 +93,7 @@ export default defineEventHandler(async (h3) => {
     profilePictureId,
     async () => jdenticon.toPng(username, 256),
     {},
-    [`anonymous:read`, `${userId}:write`]
+    [`internal:read`, `${userId}:write`]
   );
   const user = await prisma.user.create({
     data: {

server/api/v1/news/[id]/index.get.ts

@@ -1,22 +1,30 @@
 import { defineEventHandler, createError } from "h3";
+import aclManager from "~/server/internal/acls";
 import newsManager from "~/server/internal/news";
 
-export default defineEventHandler(async (event) => {
-  const id = event.context.params?.id;
-  if (!id) {
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, ["news:read"]);
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Requires authentication",
+    });
+
+  const id = h3.context.params?.id;
+  if (!id)
     throw createError({
       statusCode: 400,
       message: "Missing news ID",
     });
-  }
+  
 
-  const news = await newsManager.getById(id);
-  if (!news) {
+  const news = await newsManager.fetchById(id);
+  if (!news)
     throw createError({
       statusCode: 404,
       message: "News article not found",
     });
-  }
+
 
   return news;
-}); 
+});

server/api/v1/news/index.get.ts

@@ -1,17 +1,37 @@
 import { defineEventHandler, getQuery } from "h3";
+import aclManager from "~/server/internal/acls";
 import newsManager from "~/server/internal/news";
 
-export default defineEventHandler(async (event) => {
-  const query = getQuery(event);
-  
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, ["news:read"]);
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Requires authentication",
+    });
+
+  const query = getQuery(h3);
+
+  const orderBy = query.order as "asc" | "desc";
+  if (orderBy) {
+    if (typeof orderBy !== "string" || !["asc", "desc"].includes(orderBy))
+      throw createError({ statusCode: 400, statusMessage: "Invalid order" });
+  }
+
+  const tags = query.tags as string[] | undefined;
+  if (tags) {
+    if (typeof tags !== "object" || !Array.isArray(tags))
+      throw createError({ statusCode: 400, statusMessage: "Invalid tags" });
+  }
+
   const options = {
-    take: query.limit ? parseInt(query.limit as string) : undefined,
-    skip: query.skip ? parseInt(query.skip as string) : undefined,
-    orderBy: query.order as 'asc' | 'desc',
-    tags: query.tags ? (query.tags as string).split(',') : undefined,
+    take: parseInt(query.limit as string),
+    skip: parseInt(query.skip as string),
+    orderBy: orderBy,
+    tags: tags?.map((e) => e.toString()),
     search: query.search as string,
   };
 
-  const news = await newsManager.getAll(options);
+  const news = await newsManager.fetch(options);
   return news;
 });