Learn_System/backend/src/routes/customSims.js

'use strict';
/* /api/custom-sims — CRUD спек-симуляций «Конструктора симуляций» (Фаза 3).
 * Read-роуты — auth-only (видимость своих + published проверяет контроллер).
 * Мутации — inline requireRole('teacher','admin') + per-row ownership в хендлере.
 * НЕ blanket requireRole на роутере: список/чтение доступны и ученику (published). */
const express = require('express');
const router  = express.Router();
const { authMiddleware, requireRole } = require('../middleware/auth');
const c = require('../controllers/customSimController');

router.use(authMiddleware);

router.get('/',    c.list);
// @public-by-design: router-level authMiddleware (above) + ownership/published check in handler
router.get('/:id', c.get);
// @public-by-design: router-level authMiddleware (above) + ownership/published check in handler
router.get('/:id/related', c.related);

router.post('/', requireRole('teacher', 'admin'), c.create);
// @public-by-design: router-level authMiddleware (above) + per-row ownership check in handler
router.put('/:id',    requireRole('teacher', 'admin'), c.update);
// @public-by-design: router-level authMiddleware (above) + per-row ownership check in handler
router.delete('/:id', requireRole('teacher', 'admin'), c.remove);

// Фаза 6 — раздача классу / клон / курикулумные связи. Мутации — inline
// requireRole(teacher,admin) + per-row ownership в хендлере.
router.post('/:id/share',  requireRole('teacher', 'admin'), c.share);
router.post('/:id/clone',  requireRole('teacher', 'admin'), c.clone);
// @public-by-design: router-level authMiddleware (above) + per-row ownership check in handler
router.post('/:id/links',          requireRole('teacher', 'admin'), c.addLink);
// @public-by-design: router-level authMiddleware (above) + per-row ownership check in handler
router.delete('/:id/links/:linkId', requireRole('teacher', 'admin'), c.removeLink);

module.exports = router;