iag-dev-evaluator/src/app/api/evaluations/[id]/share/route.ts

import { NextRequest, NextResponse } from "next/server";
import { auth } from "@/auth";
import { prisma } from "@/lib/db";

async function canAccessEvaluation(evaluationId: string, userId: string, isAdmin: boolean) {
  if (isAdmin) return true;
  const eval_ = await prisma.evaluation.findUnique({
    where: { id: evaluationId },
    select: { evaluatorId: true, sharedWith: { select: { userId: true } } },
  });
  if (!eval_) return false;
  if (eval_.evaluatorId === userId) return true;
  if (eval_.sharedWith.some((s) => s.userId === userId)) return true;
  return false;
}

export async function GET(
  _req: NextRequest,
  { params }: { params: Promise<{ id: string }> }
) {
  try {
    const session = await auth();
    if (!session?.user) {
      return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
    }
    const { id } = await params;

    const hasAccess = await canAccessEvaluation(
      id,
      session.user.id,
      session.user.role === "admin"
    );
    if (!hasAccess) {
      return NextResponse.json({ error: "Accès refusé" }, { status: 403 });
    }

    const sharedWith = await prisma.evaluationShare.findMany({
      where: { evaluationId: id },
      include: { user: { select: { id: true, email: true, name: true } } },
    });
    return NextResponse.json(sharedWith);
  } catch (e) {
    console.error(e);
    return NextResponse.json({ error: "Erreur" }, { status: 500 });
  }
}

export async function POST(
  req: NextRequest,
  { params }: { params: Promise<{ id: string }> }
) {
  try {
    const session = await auth();
    if (!session?.user) {
      return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
    }
    const { id } = await params;
    const body = await req.json();
    const { email, userId } = body;

    if (!userId && !email) {
      return NextResponse.json({ error: "userId ou email requis" }, { status: 400 });
    }

    let user;
    if (userId && typeof userId === "string") {
      user = await prisma.user.findUnique({ where: { id: userId } });
    } else if (email && typeof email === "string") {
      user = await prisma.user.findUnique({
        where: { email: String(email).toLowerCase().trim() },
      });
    }
    if (!user) {
      return NextResponse.json({ error: "Utilisateur introuvable" }, { status: 404 });
    }

    const hasAccess = await canAccessEvaluation(
      id,
      session.user.id,
      session.user.role === "admin"
    );
    if (!hasAccess) {
      return NextResponse.json({ error: "Accès refusé" }, { status: 403 });
    }

    if (user.id === session.user.id) {
      return NextResponse.json({ error: "Vous avez déjà accès" }, { status: 400 });
    }

    const evaluation = await prisma.evaluation.findUnique({
      where: { id },
      select: { evaluatorId: true },
    });
    if (evaluation?.evaluatorId === user.id) {
      return NextResponse.json({ error: "L'évaluateur a déjà accès" }, { status: 400 });
    }

    await prisma.evaluationShare.upsert({
      where: {
        evaluationId_userId: { evaluationId: id, userId: user.id },
      },
      create: { evaluationId: id, userId: user.id },
      update: {},
    });

    return NextResponse.json({ ok: true, user: { id: user.id, email: user.email, name: user.name } });
  } catch (e) {
    console.error(e);
    return NextResponse.json({ error: "Erreur" }, { status: 500 });
  }
}