const express = require('express'); const router = express.Router(); const { authMiddleware, requireRole, requirePermission } = require('../middleware/auth'); const { requireOwnership } = require('../middleware/ownership'); const c = require('../controllers/courseController'); // Владение курсом по :id (created_by). Закрывает IDOR на правки/удаление/секции. const ownCourse = requireOwnership({ table: 'courses', ownerField: 'created_by' }); router.use(authMiddleware); // Course listing & special router.get('/', c.list); router.get('/search', c.search); router.get('/continue', c.continueLesson); router.get('/:id', c.get); router.get('/:id/stats', requireRole('teacher','admin'), c.stats); router.get('/:id/analytics', requireRole('teacher','admin'), c.analytics); // Course mutations router.post('/', requireRole('teacher','admin'), requirePermission('courses.manage'), c.create); router.post('/:id/duplicate', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.duplicate); router.patch('/:id/publish-all', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.publishAll); router.put('/:id', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.update); router.delete('/:id', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.remove); // Sections (владение родительским курсом по :id) router.get('/:id/sections', requireRole('teacher','admin'), c.listSections); router.post('/:id/sections', requireRole('teacher','admin'), ownCourse, c.createSection); router.put('/:id/sections/:sid', requireRole('teacher','admin'), ownCourse, c.updateSection); router.delete('/:id/sections/:sid', requireRole('teacher','admin'), ownCourse, c.deleteSection); // Class courses router.get('/class/:classId', c.listClassCourses); router.post('/class/:classId/assign', requireRole('teacher','admin'), c.assignCourseToClass); router.delete('/class/:classId/:courseId', requireRole('teacher','admin'), c.unassignCourseFromClass); module.exports = router;