Feat/keycloak frontend

.devcontainer/compose.yaml

@@ -12,6 +12,8 @@ services:
     # Runs app on the same network as the database container, allows "forwardPorts" in devcontainer.json function.
     # Ports will be exposed through the devcontainer.json, trust
     network_mode: service:db
+    env_file:
+      - .env
 
   db:
     image: postgres:17

.devcontainer/devcontainer.json

@@ -6,6 +6,12 @@
     "service": "devcontainer",
     "workspaceFolder": "/workspaces",
 
+    "features": {
+        "ghcr.io/devcontainers/features/node:1": {
+            "version": "20" 
+        }
+    },
+
     // Configure tool-specific properties.
     "customizations": {
         "jetbrains": {

.devcontainer/sample.env

@@ -0,0 +1,8 @@
+HostUrl=http://localhost:5173
+KeycloakUrl= # The base url of the keycloak provider
+KeycloakRealm= # The name of the keycloak realm
+KeycloakClientId= # The client ID of the keycloak client
+
+BackendKeycloakClientId= # The client ID of the keycloak client for the backend authentication
+KeycloakClientSecret= # The client secret for the backend authentication
+MollieApiKey= # The mollie api key

Backend/Backend.csproj

@@ -10,6 +10,7 @@
 
     <ItemGroup>
         <PackageReference Include="DotNetEnv" Version="3.1.1" />
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.*" />
         <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="8.0.7" />
         <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="8.0.10" />
         <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.20" />

Backend/Controllers/Activities.cs

@@ -7,11 +7,13 @@
 using Microsoft.EntityFrameworkCore.ChangeTracking;
 using Microsoft.EntityFrameworkCore.Storage;
 using Backend.Utils;
+using Microsoft.AspNetCore.Authorization;
 
 namespace Backend.Controllers
 {
     [Route("api/[controller]")]
     [ApiController]
+    [Authorize]
     public class Activities(PostgresDbContext db) : ControllerBase
     {
         // GET: api/activities
@@ -30,12 +32,24 @@ public async Task<ActionResult<IEnumerable<Activity>>> GetActivities()
         /// Fetches a single activity.
         /// </summary>
         /// <param name="id">The id of the activity to fetch.</param>
-        /// <returns>The full activity.</returns> // TODO: perhaps replace this with a DTO to prevent exposing unneeded fields?
+        /// <returns>The full activity.</returns>
         [HttpGet("{id}")]
         public async Task<ActionResult<Activity>> GetActivity(uint id)
         {
+            Guid userId = Guid.Parse(User.Claims.First(c => c.Type == "UserId").Value);
+
             Activity? activity = await db.Activities.FindAsync(id);
 
+            if(activity == null)
+            {
+                return NotFound();
+            }
+
+            if(activity.DateTimeEnd.UtcDateTime < DateTime.UtcNow && PermissionUtils.IsInGroupInCurrentYear(userId, (uint)PredefinedGroup.Board, db))
+            {
+                return Forbid("Only board members can view past activities.");
+            }
+
             return activity != null ? activity : NotFound();
         }
 
@@ -48,6 +62,18 @@ public async Task<ActionResult<Activity>> GetActivity(uint id)
         [HttpPost]
         public async Task<ActionResult<Activity>> PostActivity(PostActivityDTO activityDto)
         {
+            if(activityDto.DateTimeEnd < activityDto.DateTimeStart)
+            {
+                return BadRequest("Activity cannot end before it starts.");
+            }
+
+            Guid userId = Guid.Parse(User.Claims.First(c => c.Type == "UserId").Value);
+
+            if((activityDto.ShowInKoala || activityDto.ShowOnWebsite) && !PermissionUtils.IsInGroupInCurrentYear(userId, (uint)PredefinedGroup.Board, db))
+            {
+                return Forbid("Only board members can create activities for public display.");
+            }
+
             IDbContextTransaction transaction = await db.Database.BeginTransactionAsync();
 
             try
@@ -117,8 +143,16 @@ public async Task<ActionResult<Activity>> PostActivity(PostActivityDTO activityD
         /// <param name="id">The id of the activity to delete.</param>
         /// <returns>Nothing, really.</returns>
         [HttpDelete("{id}")]
+
         public async Task<IActionResult> DeleteActivity(uint id)
         {
+            Guid userId = Guid.Parse(User.Claims.First(c => c.Type == "UserId").Value);
+
+            if(!PermissionUtils.IsInGroupInCurrentYear(userId, (uint)PredefinedGroup.Board, db))
+            {
+                return Forbid("Only board members can delete activities.");
+            }
+
             Activity? activity = await db.Activities.FindAsync(id);
             if (activity == null) return NotFound();
 
@@ -150,6 +184,13 @@ public async Task<IActionResult> PatchActivity(uint id, [FromBody] JsonPatchDocu
             if (activity == null)
                 return NotFound();
 
+            Guid userId = Guid.Parse(User.Claims.First(c => c.Type == "UserId").Value);
+
+            if((activity.ShowInKoala || activity.ShowOnWebsite || patchDoc.Operations.Any(op => op.path == "/showInKoala" || op.path == "/showOnWebsite")) && !PermissionUtils.IsInGroupInCurrentYear(userId, (uint)PredefinedGroup.Board, db))
+            {
+                return Forbid("Only board members can update activities for public display.");
+            }
+
             patchDoc.ApplyTo(activity, ModelState);
 
             if (!ModelState.IsValid)
@@ -174,6 +215,13 @@ public async Task<IActionResult> UploadPoster(uint id, IFormFile? poster)
             var activity = await db.Activities.FindAsync(id);
             if (activity == null) return NotFound();
 
+            Guid userId = Guid.Parse(User.Claims.First(c => c.Type == "UserId").Value);
+
+            if((activity.ShowInKoala || activity.ShowOnWebsite) && !PermissionUtils.IsInGroupInCurrentYear(userId, (uint)PredefinedGroup.Board, db))
+            {
+                return Forbid("Only board members can update activity posters for public display.");
+            }
+
             string? oldPath = activity.PosterPath;
 
             using IDbContextTransaction transaction = await db.Database.BeginTransactionAsync();
@@ -224,6 +272,18 @@ public async Task<IActionResult> PutActivity(uint id, PostActivityDTO activityDt
             Activity? activity = await db.Activities.FindAsync(id);
             if (activity == null) return NotFound();
 
+            if(activityDto.DateTimeEnd < activityDto.DateTimeStart)
+            {
+                return BadRequest("Activity cannot end before it starts.");
+            }
+
+            Guid userId = Guid.Parse(User.Claims.First(c => c.Type == "UserId").Value);
+
+            if((activity.ShowInKoala || activity.ShowOnWebsite || activityDto.ShowInKoala || activityDto.ShowOnWebsite) && !PermissionUtils.IsInGroupInCurrentYear(userId, (uint)PredefinedGroup.Board, db))
+            {
+                return Forbid("Only board members can update activities for public display.");
+            }
+
             using IDbContextTransaction transaction = await db.Database.BeginTransactionAsync();
 
             activity.Name = activityDto.Name;
@@ -309,6 +369,12 @@ public async Task<IActionResult> GetPoster(uint id)
             if (activity == null || string.IsNullOrEmpty(activity.PosterPath))
                 return NotFound("Activity or poster not found.");
 
+            Guid userId = Guid.Parse(User.Claims.First(c => c.Type == "UserId").Value);
+            if (activity.DateTimeEnd.UtcDateTime < DateTime.UtcNow && !PermissionUtils.IsInGroupInCurrentYear(userId, (uint)PredefinedGroup.Board, db))
+            {
+                return Forbid("Only board members can view posters of past activities.");
+            }
+
             var filePath = Path.Combine(Directory.GetCurrentDirectory(), activity.PosterPath);
 
             if (!System.IO.File.Exists(filePath))
@@ -335,6 +401,12 @@ public async Task<IActionResult> DownloadPoster(uint id)
             if (activity == null || string.IsNullOrEmpty(activity.PosterPath))
                 return NotFound("Activity or poster not found.");
 
+            Guid userId = Guid.Parse(User.Claims.First(c => c.Type == "UserId").Value);
+            if (activity.DateTimeEnd.UtcDateTime < DateTime.UtcNow && !PermissionUtils.IsInGroupInCurrentYear(userId, (uint)PredefinedGroup.Board, db))
+            {
+                return Forbid("Only board members can view posters of past activities.");
+            }
+
             var filePath = Path.Combine(Directory.GetCurrentDirectory(), activity.PosterPath);
 
             if (!System.IO.File.Exists(filePath))

Backend/Controllers/Announcements.cs

@@ -0,0 +1,152 @@
+using Backend.Controllers.DTOs;
+using Backend.Database;
+using Backend.Models;
+using Microsoft.AspNetCore.JsonPatch;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+using System.ComponentModel.DataAnnotations;
+
+namespace Backend.Controllers;
+
+[Route("api/[controller]")]
+[ApiController]
+public class Announcements(PostgresDbContext db) : ControllerBase
+{
+    // GET: api/announcements
+    /// <summary>
+    /// Lists all announcements in the database.
+    /// </summary>
+    /// <returns>Said list.</returns>
+    [HttpGet]
+    public async Task<ActionResult<IEnumerable<Announcement>>> GetAnnouncements(CancellationToken cancellationToken)
+    {
+        return await db.Announcements.ToListAsync(cancellationToken);
+    }
+
+    // GET: api/announcements/5
+    /// <summary>
+    /// Fetches a single announcement.
+    /// </summary>
+    /// <param name="id">The id of the announcement to fetch.</param>
+    /// <returns>The full announcement.</returns>
+    [HttpGet("{id}")]
+    public async Task<ActionResult<Announcement>> GetAnnouncement(uint id, CancellationToken cancellationToken)
+    {
+        Announcement? announcement = await db.Announcements.FindAsync(id, cancellationToken);
+
+        return announcement != null ? announcement : NotFound();
+    }
+
+    // POST: api/announcements
+    /// <summary>
+    /// Creates a new announcement with a unique ID assigned by the database.
+    /// </summary>
+    /// <param name="announcementDto">The announcement to be added to the database.</param>
+    /// <returns>Fully created announcement in body and api route of where to fetch it in the headers.</returns>
+    [HttpPost]
+    public async Task<ActionResult<Announcement>> PostAnnouncement(PostAnnouncementDTO announcementDto, CancellationToken cancellationToken)
+    {
+        var createdById = uint.Parse(User.Claims.First(c => c.Type == "member_id").Value!);
+        var newEntry = db.Announcements.Add(new Announcement
+        {
+            Title = announcementDto.Title,
+            Content = announcementDto.Content,
+            CreatedById = createdById,
+            CreatedAt = DateTime.UtcNow
+        });
+        await db.SaveChangesAsync(cancellationToken);
+
+        return CreatedAtAction(nameof(GetAnnouncement), new { id = newEntry.Entity.Id }, newEntry.Entity);
+    }
+
+    // DELETE: api/announcements/5
+    /// <summary>
+    /// Deletes an announcement.
+    /// </summary>
+    /// <param name="id">The id of the announcement to delete.</param>
+    /// <returns>Nothing, really.</returns>
+    /// <remarks>
+    /// Deleting an announcement will also delete all enrollments and role enrollments associated with said
+    /// announcement.
+    /// </remarks>
+    [HttpDelete("{id}")]
+    public async Task<IActionResult> DeleteAnnouncement(uint id, CancellationToken cancellationToken)
+    {
+        Announcement? announcement = await db.Announcements.FindAsync(id, cancellationToken);
+        if (announcement == null) return NotFound();
+
+        db.Announcements.Remove(announcement);
+        await db.SaveChangesAsync(cancellationToken);
+
+        return NoContent();
+    }
+
+    // PATCH: api/announcements/5/title
+    /// <summary>
+    /// Updates an announcement's title.
+    /// </summary>
+    /// <param name="id">The id of the announcement to update.</param>
+    /// <param name="newTitle">The new title of the announcement.</param>
+    /// <returns>No Content.</returns>
+    [HttpPatch("{id}/title")]
+    public async Task<IActionResult> PatchAnnouncementTitle(uint id, [FromBody, StringLength(100)] string newTitle, CancellationToken cancellationToken)
+    {
+        Announcement? announcement = await db.Announcements.FindAsync(id, cancellationToken);
+        if (announcement == null) return NotFound();
+
+        announcement.Title = newTitle;
+        await db.SaveChangesAsync(cancellationToken);
+
+        return NoContent();
+    }
+
+    // PATCH: api/announcements/5
+    /// <summary>
+    /// Partially updates an announcement's details.
+    /// </summary>
+    /// <param name="id">The id of the announcement to update.</param>
+    /// <param name="patchDoc">The patch document containing the changes.</param>
+    /// <returns>No Content.</returns>
+    [HttpPatch("{id}")]
+    public async Task<IActionResult> PatchAnnouncement(uint id, [FromBody] JsonPatchDocument<Announcement> patchDoc, CancellationToken cancellationToken)
+    {
+        if (patchDoc == null)
+            return BadRequest();
+
+        Announcement? announcement = await db.Announcements.FindAsync(new object[] { id }, cancellationToken);
+        if (announcement == null)
+            return NotFound();
+
+        patchDoc.ApplyTo(announcement, ModelState);
+
+        if (!TryValidateModel(announcement))
+            return BadRequest(ModelState);
+
+        if (!ModelState.IsValid)
+            return BadRequest(ModelState);
+
+        await db.SaveChangesAsync(cancellationToken);
+
+        return NoContent();
+    }
+
+    // PUT: api/announcements/5
+    /// <summary>
+    /// Updates an announcement.
+    /// </summary>
+    /// <param name="id">The id of the announcement to update.</param>
+    /// <param name="announcementDto">The updated announcement data.</param>
+    /// <returns>No Content.</returns>
+    [HttpPut("{id}")]
+    public async Task<IActionResult> PutAnnouncement(uint id, UpdateAnnouncementDTO announcementDto, CancellationToken cancellationToken)
+    {
+        Announcement? announcement = await db.Announcements.FindAsync(id, cancellationToken);
+        if (announcement == null) return NotFound();
+
+        announcement.Title = announcementDto.Title;
+        announcement.Content = announcementDto.Content;
+        await db.SaveChangesAsync(cancellationToken);
+
+        return NoContent();
+    }
+}

Backend/Controllers/DTOs/Announcements.cs

@@ -0,0 +1,25 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Backend.Controllers.DTOs;
+
+public class PostAnnouncementDTO
+{
+    /// <inheritdoc cref="Models.Announcement.Title"/>>
+    [StringLength(100)]
+    public required string Title { get; set; }
+
+    /// <inheritdoc cref="Models.Announcement.Content"/>>
+    [StringLength(1000)]
+    public required string Content { get; set; }
+}
+
+public class UpdateAnnouncementDTO
+{
+    /// <inheritdoc cref="Models.Announcement.Title"/>
+    [StringLength(100)]
+    public required string Title { get; set; }
+
+    /// <inheritdoc cref="Models.Announcement.Content"/>
+    [StringLength(1000)]
+    public required string Content { get; set; }
+}