Working version before modification.

2026-04-20 21:04:54 +02:00
parent 28d167f11f
commit e7127f3215
30 changed files with 7046 additions and 1201 deletions
@@ -1,6 +1,6 @@
 import { Router } from 'express';

-import { getReport, listReports, submitReport } from '../services/reportService.js';
+import { deleteReport, deleteReportImage, getReport, getReportImages, listReports, submitReport } from '../services/reportService.js';
 import { logAuditEvent } from '../services/auditService.js';
 import { asyncHandler } from '../utils/asyncHandler.js';
 import { validateParam } from '../middleware/validateParams.js';
@@ -29,7 +29,7 @@ router.get(

 router.get(
  '/:reportId',
-  validateParam('reportId'),
+  validateParam('reportId', { pattern: /^[a-zA-Z0-9_-]{1,100}$/ }),
  asyncHandler(async (req, res) => {
    const report = await getReport(req.params.reportId);

@@ -72,4 +72,44 @@ router.post(
  })
 );

+/* Get all images for a report grouped by record */
+router.get(
+  '/:reportId/images',
+  validateParam('reportId', { pattern: /^[a-zA-Z0-9_-]{1,100}$/ }),
+  asyncHandler(async (req, res) => {
+    const images = await getReportImages(req.params.reportId);
+    return res.json(images);
+  })
+);
+
+/* Delete a report and all associated images */
+router.delete(
+  '/:reportId',
+  validateParam('reportId', { pattern: /^[a-zA-Z0-9_-]{1,100}$/ }),
+  asyncHandler(async (req, res) => {
+    await deleteReport(req.params.reportId);
+    await logAuditEvent({
+      entityType: 'report',
+      entityCode: req.params.reportId,
+      action: 'delete',
+      newValue: null
+    });
+    return res.json({ message: 'Report and images deleted.' });
+  })
+);
+
+/* Safe pattern for image file names: alphanumeric, underscore, hyphen, dot */
+const SAFE_FILENAME_PATTERN = /^[a-zA-Z0-9_.-]{1,500}$/;
+
+/* Delete a specific image from a report */
+router.delete(
+  '/:reportId/images/:recordId/:fileName',
+  validateParam('reportId', { pattern: /^[a-zA-Z0-9_-]{1,100}$/ }),
+  validateParam('fileName', { pattern: SAFE_FILENAME_PATTERN }),
+  asyncHandler(async (req, res) => {
+    await deleteReportImage(req.params.reportId, req.params.recordId, req.params.fileName);
+    return res.json({ message: 'Image deleted.' });
+  })
+);
+
 export default router;