feat: avatar moderation — ученик загружает фото, учитель/админ подтверждает или отклоняет

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-14 20:55:45 +03:00
parent 6429e07606
commit c2eb319162
8 changed files with 422 additions and 22 deletions
@@ -0,0 +1,107 @@
+const path = require('path');
+const fs   = require('fs');
+const db   = require('../db/db');
+
+const AVATARS_DIR = path.join(__dirname, '../../uploads/avatars');
+
+/* ── POST /api/avatar/request ── student submits a new avatar ───────────── */
+function requestAvatar(req, res) {
+    if (!req.file) return res.status(400).json({ error: 'Файл не загружен' });
+
+    // Cancel any previous pending request from this user (replace it)
+    const prev = db.prepare(
+        "SELECT filename FROM avatar_requests WHERE user_id=? AND status='pending'"
+    ).get(req.user.id);
+    if (prev) {
+        // Delete old file
+        try { fs.unlinkSync(path.join(AVATARS_DIR, prev.filename)); } catch {}
+        db.prepare("DELETE FROM avatar_requests WHERE user_id=? AND status='pending'").run(req.user.id);
+    }
+
+    db.prepare(`
+        INSERT INTO avatar_requests (user_id, filename, status, created_at)
+        VALUES (?, ?, 'pending', datetime('now'))
+    `).run(req.user.id, req.file.filename);
+
+    res.json({ ok: true, filename: req.file.filename });
+}
+
+/* ── GET /api/avatar/my-status ── student polls their request status ────── */
+function myStatus(req, res) {
+    const row = db.prepare(`
+        SELECT ar.id, ar.filename, ar.status, ar.reject_msg, ar.created_at, ar.reviewed_at
+        FROM avatar_requests ar
+        WHERE ar.user_id = ?
+        ORDER BY ar.created_at DESC LIMIT 1
+    `).get(req.user.id);
+
+    const user = db.prepare('SELECT avatar_url FROM users WHERE id=?').get(req.user.id);
+    res.json({ request: row || null, current_avatar: user?.avatar_url || null });
+}
+
+/* ── GET /api/avatar/pending ── moderator sees all pending requests ──────── */
+function getPending(req, res) {
+    const rows = db.prepare(`
+        SELECT ar.id, ar.filename, ar.status, ar.created_at,
+               u.id AS user_id, u.name AS user_name, u.email AS user_email,
+               u.avatar_url AS current_avatar
+        FROM avatar_requests ar
+        JOIN users u ON u.id = ar.user_id
+        WHERE ar.status = 'pending'
+        ORDER BY ar.created_at ASC
+    `).all();
+    res.json(rows);
+}
+
+/* ── POST /api/avatar/:id/approve ── moderator approves ─────────────────── */
+function approveAvatar(req, res) {
+    const row = db.prepare('SELECT * FROM avatar_requests WHERE id=?').get(req.params.id);
+    if (!row) return res.status(404).json({ error: 'Заявка не найдена' });
+    if (row.status !== 'pending') return res.status(400).json({ error: 'Заявка уже обработана' });
+
+    // Remove old avatar file if exists
+    const user = db.prepare('SELECT avatar_url FROM users WHERE id=?').get(row.user_id);
+    if (user?.avatar_url) {
+        try { fs.unlinkSync(path.join(AVATARS_DIR, user.avatar_url)); } catch {}
+    }
+
+    db.prepare('UPDATE users SET avatar_url=? WHERE id=?').run(row.filename, row.user_id);
+    db.prepare(`
+        UPDATE avatar_requests SET status='approved', reviewer_id=?, reviewed_at=datetime('now')
+        WHERE id=?
+    `).run(req.user.id, row.id);
+
+    res.json({ ok: true });
+}
+
+/* ── POST /api/avatar/:id/reject ── moderator rejects ───────────────────── */
+function rejectAvatar(req, res) {
+    const row = db.prepare('SELECT * FROM avatar_requests WHERE id=?').get(req.params.id);
+    if (!row) return res.status(404).json({ error: 'Заявка не найдена' });
+    if (row.status !== 'pending') return res.status(400).json({ error: 'Заявка уже обработана' });
+
+    const msg = (req.body.reason || '').toString().slice(0, 200).trim();
+
+    // Delete uploaded file
+    try { fs.unlinkSync(path.join(AVATARS_DIR, row.filename)); } catch {}
+
+    db.prepare(`
+        UPDATE avatar_requests
+        SET status='rejected', reviewer_id=?, reject_msg=?, reviewed_at=datetime('now')
+        WHERE id=?
+    `).run(req.user.id, msg || null, row.id);
+
+    res.json({ ok: true });
+}
+
+/* ── DELETE /api/avatar/me ── student removes their approved avatar ──────── */
+function removeAvatar(req, res) {
+    const user = db.prepare('SELECT avatar_url FROM users WHERE id=?').get(req.user.id);
+    if (user?.avatar_url) {
+        try { fs.unlinkSync(path.join(AVATARS_DIR, user.avatar_url)); } catch {}
+        db.prepare('UPDATE users SET avatar_url=NULL WHERE id=?').run(req.user.id);
+    }
+    res.json({ ok: true });
+}
+
+module.exports = { requestAvatar, myStatus, getPending, approveAvatar, rejectAvatar, removeAvatar };