From 21c33b169e17ae43f3b1c224e9eadcd6c8f540f0 Mon Sep 17 00:00:00 2001
From: Gabriel Kaszewski <gabrielkaszewski@gmail.com>
Date: Tue, 2 Jun 2026 23:14:06 +0200
Subject: [PATCH] feat: gate wrapup generate behind admin role

---
 crates/api-types/src/wrapup.rs             |  3 ++-
 crates/presentation/src/handlers/wrapup.rs | 11 ++++-------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/crates/api-types/src/wrapup.rs b/crates/api-types/src/wrapup.rs
index 0d5426c..26a94ca 100644
--- a/crates/api-types/src/wrapup.rs
+++ b/crates/api-types/src/wrapup.rs
@@ -1,10 +1,11 @@
 use serde::{Deserialize, Serialize};
+use uuid::Uuid;
 
 #[derive(Debug, Deserialize, utoipa::ToSchema)]
 pub struct GenerateWrapUpRequest {
     pub start_date: String,
     pub end_date: String,
-    pub global: Option<bool>,
+    pub user_id: Option<Uuid>,
 }
 
 #[derive(Debug, Serialize, utoipa::ToSchema)]
diff --git a/crates/presentation/src/handlers/wrapup.rs b/crates/presentation/src/handlers/wrapup.rs
index c94004d..7519511 100644
--- a/crates/presentation/src/handlers/wrapup.rs
+++ b/crates/presentation/src/handlers/wrapup.rs
@@ -19,7 +19,7 @@ use domain::value_objects::WrapUpId;
 use crate::{
     csrf::CsrfToken,
     errors::ApiError,
-    extractors::{AuthenticatedUser, OptionalCookieUser},
+    extractors::{AdminUser, AuthenticatedUser, OptionalCookieUser},
     render::render_page,
     state::AppState,
 };
@@ -47,23 +47,20 @@ fn record_to_dto(r: &WrapUpRecord) -> WrapUpStatusResponse {
         (status = 200, body = WrapUpGeneratedResponse),
         (status = 400, description = "Invalid date format"),
         (status = 401, description = "Unauthorized"),
+        (status = 403, description = "Forbidden — admin only"),
     ),
     security(("bearer_auth" = []))
 )]
 pub async fn post_generate(
     State(state): State<AppState>,
-    user: AuthenticatedUser,
+    _admin: AdminUser,
     Json(req): Json<GenerateWrapUpRequest>,
 ) -> Result<Json<WrapUpGeneratedResponse>, ApiError> {
     let start = NaiveDate::parse_from_str(&req.start_date, "%Y-%m-%d")
         .map_err(|_| DomainError::ValidationError("invalid start_date".into()))?;
     let end = NaiveDate::parse_from_str(&req.end_date, "%Y-%m-%d")
         .map_err(|_| DomainError::ValidationError("invalid end_date".into()))?;
-    let user_id = if req.global.unwrap_or(false) {
-        None
-    } else {
-        Some(user.0.value())
-    };
+    let user_id = req.user_id;
     let cmd = RequestWrapUpCommand {
         user_id,
         start_date: start,