bert.hausmans
63d08c8bde
S2c D2, D3, D4, D8 — the meat of the public API rewrite.
Draft / save / submit split (D4):
- POST /public/forms/{public_token}/submissions
Creates a draft. idempotency_key is now REQUIRED; second POST with
the same key returns the existing draft (HTTP 200 vs 201 for fresh).
UniqueConstraintViolationException caught for race-safe replay.
- PUT /public/forms/{public_token}/submissions/{submission_id}
Auto-save. Partial updates only — each PUT writes just the
slugs in the body. Status stays 'draft'; auto_save_count++.
- POST /public/forms/{public_token}/submissions/{submission_id}/submit
Final submission. Merges body values with already-saved values,
runs strict rule set against the merged map, then calls
FormSubmissionService::submit which fires the lifecycle events
(tag sync, identity match). Rate-limited per IP per token per hour.
Access rules: submission must belong to the resolved schema; status
must be 'draft' (409 SUBMISSION_ALREADY_SUBMITTED otherwise); schema
still accepting submissions.
Sub-endpoints (D2, D3):
- GET /public/forms/{public_token}/time-slots
Volunteer-only, festival-aware (parent + children). Reads straight
from TimeSlot model — no org-coupled service to extract from. Out:
{id, name, date, start_time, end_time, duration_hours, event_id,
event_name}.
- GET /public/forms/{public_token}/sections
show_in_registration=true, type=standard, deduplicated by name
across festival children.
Dynamic per-field validation (D8):
- FormFieldRuleBuilder builds Laravel rule arrays from form_fields.
strict() enforces is_required + in:options + type rules (email,
url, numeric, date, boolean, phone regex); relaxed() is the
auto-save variant that drops required-ness.
- StartPublicDraftRequest (required idempotency_key),
SavePublicDraftRequest (relaxed rules, values optional),
SubmitPublicSubmissionRequest (relaxed rules at body level — the
controller merges the body with saved values and runs the strict
validator on the full map so submit with an empty body still
passes when everything was auto-saved).
- FormValueService backs the request layer up with deeper enforcement
of validation_rules JSON (min/max/regex) + is_unique. Throws
FieldValidationException (422) which renders via the D6 envelope.
PublicFormTokenResolver centralises the grace-window logic; every
public endpoint resolves through it so the standardised exceptions
bubble uniformly.
Routes: 6 total under /public/forms/ (up from 2). Tests:
PublicFormApiTest's existing submit test retrofitted to the three-step
flow; 857 tests still green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
64 lines
1.7 KiB
PHP
64 lines
1.7 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Http\Requests\Api\V1\FormBuilder;
|
|
|
|
use App\Models\FormBuilder\FormSchema;
|
|
use App\Services\FormBuilder\FormFieldRuleBuilder;
|
|
use App\Services\FormBuilder\PublicFormTokenResolver;
|
|
use Illuminate\Foundation\Http\FormRequest;
|
|
|
|
/**
|
|
* Body for `POST /api/v1/public/forms/{public_token}/submissions/{id}/submit`.
|
|
*
|
|
* The FormRequest validates the request body in isolation using the
|
|
* *relaxed* rule set, because the controller merges the body with any
|
|
* values already saved via earlier PUT calls and runs the strict rule
|
|
* set on the merged value map before actually submitting.
|
|
*
|
|
* Upshot: a submit call with an empty body but all values auto-saved
|
|
* during drafting still passes at the request layer.
|
|
*/
|
|
final class SubmitPublicSubmissionRequest extends FormRequest
|
|
{
|
|
public function authorize(): bool
|
|
{
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* @return array<string, mixed>
|
|
*/
|
|
public function rules(): array
|
|
{
|
|
$base = [
|
|
'values' => ['sometimes', 'array'],
|
|
'captcha_token' => ['nullable', 'string', 'max:2000'],
|
|
];
|
|
|
|
$schema = $this->resolveSchema();
|
|
if (! $schema instanceof FormSchema) {
|
|
return $base;
|
|
}
|
|
|
|
return array_merge(
|
|
$base,
|
|
app(FormFieldRuleBuilder::class)->relaxed($schema),
|
|
);
|
|
}
|
|
|
|
private function resolveSchema(): ?FormSchema
|
|
{
|
|
$token = (string) $this->route('public_token');
|
|
if ($token === '') {
|
|
return null;
|
|
}
|
|
try {
|
|
return app(PublicFormTokenResolver::class)->resolve($token);
|
|
} catch (\Throwable) {
|
|
return null;
|
|
}
|
|
}
|
|
}
|