iag-dev-evaluator/src/app/api/evaluations/[id]/share/[userId]/route.ts

import { NextRequest, NextResponse } from "next/server";
import { auth } from "@/auth";
import { prisma } from "@/lib/db";

async function canAccessEvaluation(evaluationId: string, userId: string, isAdmin: boolean) {
  if (isAdmin) return true;
  const eval_ = await prisma.evaluation.findUnique({
    where: { id: evaluationId },
    select: { evaluatorId: true, sharedWith: { select: { userId: true } } },
  });
  if (!eval_) return false;
  if (eval_.evaluatorId === userId) return true;
  if (eval_.sharedWith.some((s) => s.userId === userId)) return true;
  return false;
}

export async function DELETE(
  _req: NextRequest,
  { params }: { params: Promise<{ id: string; userId: string }> }
) {
  try {
    const session = await auth();
    if (!session?.user) {
      return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
    }
    const { id, userId } = await params;

    const hasAccess = await canAccessEvaluation(
      id,
      session.user.id,
      session.user.role === "admin"
    );
    if (!hasAccess) {
      return NextResponse.json({ error: "Accès refusé" }, { status: 403 });
    }

    await prisma.evaluationShare.deleteMany({
      where: { evaluationId: id, userId },
    });

    return NextResponse.json({ ok: true });
  } catch (e) {
    console.error(e);
    return NextResponse.json({ error: "Erreur" }, { status: 500 });
  }
}