feat(form-builder): public draft/save/submit split + sub-endpoints + validation
S2c D2, D3, D4, D8 — the meat of the public API rewrite.
Draft / save / submit split (D4):
- POST /public/forms/{public_token}/submissions
Creates a draft. idempotency_key is now REQUIRED; second POST with
the same key returns the existing draft (HTTP 200 vs 201 for fresh).
UniqueConstraintViolationException caught for race-safe replay.
- PUT /public/forms/{public_token}/submissions/{submission_id}
Auto-save. Partial updates only — each PUT writes just the
slugs in the body. Status stays 'draft'; auto_save_count++.
- POST /public/forms/{public_token}/submissions/{submission_id}/submit
Final submission. Merges body values with already-saved values,
runs strict rule set against the merged map, then calls
FormSubmissionService::submit which fires the lifecycle events
(tag sync, identity match). Rate-limited per IP per token per hour.
Access rules: submission must belong to the resolved schema; status
must be 'draft' (409 SUBMISSION_ALREADY_SUBMITTED otherwise); schema
still accepting submissions.
Sub-endpoints (D2, D3):
- GET /public/forms/{public_token}/time-slots
Volunteer-only, festival-aware (parent + children). Reads straight
from TimeSlot model — no org-coupled service to extract from. Out:
{id, name, date, start_time, end_time, duration_hours, event_id,
event_name}.
- GET /public/forms/{public_token}/sections
show_in_registration=true, type=standard, deduplicated by name
across festival children.
Dynamic per-field validation (D8):
- FormFieldRuleBuilder builds Laravel rule arrays from form_fields.
strict() enforces is_required + in:options + type rules (email,
url, numeric, date, boolean, phone regex); relaxed() is the
auto-save variant that drops required-ness.
- StartPublicDraftRequest (required idempotency_key),
SavePublicDraftRequest (relaxed rules, values optional),
SubmitPublicSubmissionRequest (relaxed rules at body level — the
controller merges the body with saved values and runs the strict
validator on the full map so submit with an empty body still
passes when everything was auto-saved).
- FormValueService backs the request layer up with deeper enforcement
of validation_rules JSON (min/max/regex) + is_unique. Throws
FieldValidationException (422) which renders via the D6 envelope.
PublicFormTokenResolver centralises the grace-window logic; every
public endpoint resolves through it so the standardised exceptions
bubble uniformly.
Routes: 6 total under /public/forms/ (up from 2). Tests:
PublicFormApiTest's existing submit test retrofitted to the three-step
flow; 857 tests still green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -37,7 +37,9 @@ final class FormValueService
|
||||
->get()
|
||||
->keyBy('slug');
|
||||
|
||||
DB::transaction(function () use ($slugToValue, $fields, $submission, $actor): void {
|
||||
$fieldErrors = [];
|
||||
|
||||
DB::transaction(function () use ($slugToValue, $fields, $submission, $actor, &$fieldErrors): void {
|
||||
foreach ($slugToValue as $slug => $raw) {
|
||||
$field = $fields->get($slug);
|
||||
if ($field === null) {
|
||||
@@ -53,10 +55,68 @@ final class FormValueService
|
||||
throw new AuthorizationException(sprintf('Not allowed to write field "%s".', $slug));
|
||||
}
|
||||
|
||||
$errors = $this->validateAgainstFieldRules($field, $raw, $submission);
|
||||
if ($errors !== []) {
|
||||
$fieldErrors[$slug] = $errors;
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
$this->writeValue($submission, $field, $raw);
|
||||
$this->writeEntityMirror($submission, $field, $raw);
|
||||
}
|
||||
});
|
||||
|
||||
if ($fieldErrors !== []) {
|
||||
throw new \App\Exceptions\FormBuilder\FieldValidationException($fieldErrors);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Backstop enforcement of form_fields.validation_rules JSON per
|
||||
* S2c D8. The FormFieldRuleBuilder already surfaces min/max/regex
|
||||
* shortcuts at the request layer; this is where the deeper checks
|
||||
* (is_unique, validation_rules.unique) live.
|
||||
*
|
||||
* @return array<int, string>
|
||||
*/
|
||||
private function validateAgainstFieldRules(FormField $field, mixed $raw, FormSubmission $submission): array
|
||||
{
|
||||
$errors = [];
|
||||
$rules = is_array($field->validation_rules) ? $field->validation_rules : [];
|
||||
|
||||
if ($raw === null || $raw === '' || $raw === []) {
|
||||
return $errors;
|
||||
}
|
||||
|
||||
if (isset($rules['min']) && is_numeric($rules['min']) && is_numeric($raw) && (float) $raw < (float) $rules['min']) {
|
||||
$errors[] = sprintf('Minimum is %s.', (string) $rules['min']);
|
||||
}
|
||||
if (isset($rules['max']) && is_numeric($rules['max']) && is_numeric($raw) && (float) $raw > (float) $rules['max']) {
|
||||
$errors[] = sprintf('Maximum is %s.', (string) $rules['max']);
|
||||
}
|
||||
if (isset($rules['regex']) && is_string($rules['regex']) && is_string($raw)
|
||||
&& @preg_match($rules['regex'], $raw) !== 1) {
|
||||
$errors[] = 'Value does not match the expected format.';
|
||||
}
|
||||
|
||||
$unique = (bool) $field->is_unique || (bool) ($rules['unique'] ?? false);
|
||||
if ($unique) {
|
||||
$scalar = is_scalar($raw) ? (string) $raw : null;
|
||||
if ($scalar !== null) {
|
||||
$exists = \App\Models\FormBuilder\FormValue::query()
|
||||
->where('form_field_id', $field->id)
|
||||
->where('value_indexed', $scalar)
|
||||
->where('form_submission_id', '!=', $submission->id)
|
||||
->whereHas('submission', fn ($q) => $q->where('status', \App\Enums\FormBuilder\FormSubmissionStatus::SUBMITTED->value))
|
||||
->exists();
|
||||
if ($exists) {
|
||||
$errors[] = 'This value is already in use for another submission.';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $errors;
|
||||
}
|
||||
|
||||
private function writeValue(FormSubmission $submission, FormField $field, mixed $raw): void
|
||||
|
||||
Reference in New Issue
Block a user