Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(api): wrap critical mutations in transactions and fix TOCTOU race conditions

Browse Source 
- applyProjectScenario: wrap assignment loop in db.$transaction to prevent partial updates
- vacation approve/reject: fix TOCTOU race via updateMany with status-guard in WHERE + CONFLICT on count=0
- vacation cancel: wrap vacation.update + entitlement.updateMany in $transaction
- batchApprove: collect mutations, wrap in $transaction, dispatch SSE/notifications after commit
- Fix dead-code bug in createHappyPathDb where $transaction was assigned after return
- Add atomicity and concurrency tests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-09 08:34:59 +02:00
parent b103e79e92
commit 1d6d75ecf6
6 changed files with 245 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/api/src/__tests__/assistant-tools-vacation-mutation-test-helpers.ts
+9 -3
View File
@@ -71,7 +71,7 @@ export function createHappyPathDb() {
return null;
});
return {
const db = {
user: {
findUnique: vi.fn().mockResolvedValue({ id: "user_1", systemRole: "MANAGER" }),
},
@@ -111,6 +111,11 @@ export function createHappyPathDb() {
},
vacation: {
findUnique: vacationFindUnique,
findUniqueOrThrow: vi.fn().mockImplementation(async (args?: any) => {
const result = await vacationFindUnique({ where: { id: args?.where?.id } });
if (!result) throw new Error("Vacation not found");
return result;
}),
findMany: vi.fn().mockResolvedValue([]),
findFirst: vi.fn().mockResolvedValue(null),
create: vi.fn().mockResolvedValue({
@@ -147,6 +152,7 @@ export function createHappyPathDb() {
approvedById: args?.data?.approvedById ?? existing?.approvedById ?? null,
};
}),
updateMany: vi.fn().mockResolvedValue({ count: 1 }),
},
notification: {
updateMany: vi.fn().mockResolvedValue({ count: 1 }),
@@ -158,9 +164,9 @@ export function createHappyPathDb() {
webhook: {
findMany: vi.fn().mockResolvedValue([]),
},
};
} as any;
(db as Record<string, unknown>).$transaction = vi.fn(
db.$transaction = vi.fn(
async (callback: (tx: typeof db) => Promise<unknown>) => callback(db),
);
packages/api/src/__tests__/assistant-tools-vacation-review-cancel.test.ts
+4 -4
View File
@@ -72,15 +72,15 @@ describe("assistant vacation mutation tools", () => {
message: "Rejected vacation for Alice Example: Capacity freeze",
}),
);
expect(db.vacation.update).toHaveBeenCalledWith(
expect(db.vacation.updateMany).toHaveBeenCalledWith(
expect.objectContaining({
where: { id: "vac_cancelled" },
where: expect.objectContaining({ id: "vac_cancelled" }),
data: expect.objectContaining({ status: "APPROVED" }),
}),
);
expect(db.vacation.update).toHaveBeenCalledWith(
expect(db.vacation.updateMany).toHaveBeenCalledWith(
expect.objectContaining({
where: { id: "vac_pending" },
where: expect.objectContaining({ id: "vac_pending" }),
data: expect.objectContaining({ status: "REJECTED", rejectionReason: "Capacity freeze" }),
}),
);
packages/api/src/__tests__/scenario-apply.test.ts
+48 -1
View File
@@ -10,8 +10,9 @@ function makeDb(overrides: {
assignmentUpdate?: ReturnType<typeof vi.fn>;
assignmentCreate?: ReturnType<typeof vi.fn>;
resourceFindUnique?: ReturnType<typeof vi.fn>;
transaction?: ReturnType<typeof vi.fn>;
}) {
return {
const db = {
project: {
findUnique: overrides.projectFindUnique ?? vi.fn().mockResolvedValue({ id: "project_1", name: "Test Project" }),
},
@@ -22,6 +23,10 @@ function makeDb(overrides: {
resource: {
findUnique: overrides.resourceFindUnique ?? vi.fn().mockResolvedValue({ lcrCents: 100 }),
},
};
return {
...db,
$transaction: overrides.transaction ?? vi.fn(async (cb: (tx: typeof db) => Promise<unknown>) => cb(db)),
} as never;
}
@@ -151,4 +156,46 @@ describe("applyProjectScenario", () => {
// appliedCount = 2 creates + 0 cancel = 2.
expect(result.appliedCount).toBe(2);
});
it("wraps all mutations in a single transaction", async () => {
assignmentCreate = vi.fn().mockResolvedValue({ id: "new_1" });
assignmentUpdate = vi.fn().mockResolvedValue({});
// transaction mock that propagates the error so we can verify atomicity
const transaction = vi.fn(async (cb: (tx: unknown) => Promise<unknown>) => cb({
assignment: { update: assignmentUpdate, create: assignmentCreate },
resource: { findUnique: resourceFindUnique },
}));
const db = makeDb({ assignmentCreate, assignmentUpdate, resourceFindUnique, transaction });
await applyProjectScenario(db, {
projectId: "project_1",
changes: [{ ...baseChange, resourceId: "resource_1" }],
});
expect(transaction).toHaveBeenCalledTimes(1);
});
it("propagates transaction error so partial changes are rolled back", async () => {
assignmentCreate = vi.fn()
.mockResolvedValueOnce({ id: "new_1" })
.mockRejectedValueOnce(new Error("DB constraint violation"));
const transaction = vi.fn(async (cb: (tx: unknown) => Promise<unknown>) =>
cb({ assignment: { update: assignmentUpdate, create: assignmentCreate }, resource: { findUnique: resourceFindUnique } }),
);
const db = makeDb({ assignmentCreate, assignmentUpdate, resourceFindUnique, transaction });
await expect(
applyProjectScenario(db, {
projectId: "project_1",
changes: [
{ ...baseChange, resourceId: "resource_1" },
{ ...baseChange, resourceId: "resource_2" },
],
}),
).rejects.toThrow("DB constraint violation");
});
});
packages/api/src/__tests__/vacation-router.test.ts
+56 -13
View File
@@ -152,6 +152,7 @@ function createVacationDb(overrides: Record<string, unknown> = {}) {
vacation: {
findFirst: vi.fn().mockResolvedValue(null),
findUnique: vi.fn().mockResolvedValue(sampleVacation),
findUniqueOrThrow: vi.fn().mockResolvedValue(sampleVacation),
findMany: vi.fn().mockResolvedValue([]),
create: vi.fn().mockResolvedValue(sampleVacation),
update: vi.fn().mockResolvedValue(sampleVacation),
@@ -331,10 +332,11 @@ describe("vacation router", () => {
...sampleVacation,
status: VacationStatus.PENDING,
}),
update: vi.fn().mockResolvedValue({
findUniqueOrThrow: vi.fn().mockResolvedValue({
...sampleVacation,
status: VacationStatus.APPROVED,
}),
updateMany: vi.fn().mockResolvedValue({ count: 1 }),
},
});
@@ -379,10 +381,11 @@ describe("vacation router", () => {
...sampleVacation,
status: VacationStatus.PENDING,
}),
update: vi.fn().mockResolvedValue({
findUniqueOrThrow: vi.fn().mockResolvedValue({
...sampleVacation,
status: VacationStatus.APPROVED,
}),
updateMany: vi.fn().mockResolvedValue({ count: 1 }),
},
});
@@ -896,7 +899,8 @@ describe("vacation router", () => {
const db = createVacationDb({
vacation: {
findUnique: vi.fn().mockResolvedValue(sampleVacation),
update: vi.fn().mockResolvedValue(updatedVacation),
findUniqueOrThrow: vi.fn().mockResolvedValue(updatedVacation),
updateMany: vi.fn().mockResolvedValue({ count: 1 }),
},
user: {
findUnique: vi.fn().mockResolvedValue({ id: "mgr_1" }),
@@ -910,9 +914,9 @@ describe("vacation router", () => {
const result = await caller.approve({ id: "vac_1" });
expect(result.status).toBe(VacationStatus.APPROVED);
expect(db.vacation.update).toHaveBeenCalledWith(
expect(db.vacation.updateMany).toHaveBeenCalledWith(
expect.objectContaining({
where: { id: "vac_1" },
where: expect.objectContaining({ id: "vac_1" }),
data: expect.objectContaining({
status: VacationStatus.APPROVED,
rejectionReason: null,
@@ -1016,7 +1020,8 @@ describe("vacation router", () => {
const db = createVacationDb({
vacation: {
findUnique: vi.fn().mockResolvedValue(sampleVacation),
update: vi.fn().mockResolvedValue(updatedVacation),
findUniqueOrThrow: vi.fn().mockResolvedValue(updatedVacation),
updateMany: vi.fn().mockResolvedValue({ count: 1 }),
},
resource: {
findUnique: vi.fn().mockResolvedValue(null),
@@ -1027,8 +1032,9 @@ describe("vacation router", () => {
const result = await caller.reject({ id: "vac_1", rejectionReason: "Team conflict" });
expect(result.status).toBe(VacationStatus.REJECTED);
expect(db.vacation.update).toHaveBeenCalledWith(
expect(db.vacation.updateMany).toHaveBeenCalledWith(
expect.objectContaining({
where: expect.objectContaining({ id: "vac_1" }),
data: expect.objectContaining({
status: VacationStatus.REJECTED,
rejectionReason: "Team conflict",
@@ -1458,8 +1464,8 @@ describe("vacation router", () => {
},
vacation: {
deleteMany: vi.fn().mockResolvedValue({ count: 0 }),
findFirst: vi.fn().mockResolvedValue(null),
create: vi.fn().mockResolvedValue({}),
findMany: vi.fn().mockResolvedValue([]),
createMany: vi.fn().mockResolvedValue({ count: 0 }),
},
};
@@ -1471,7 +1477,37 @@ describe("vacation router", () => {
expect(result.created).toBeGreaterThan(0);
expect(result.resources).toBe(2);
expect(db.vacation.create).toHaveBeenCalled();
expect(db.vacation.createMany).toHaveBeenCalled();
});
it("resolves holidays once per unique country/state combination", async () => {
// 3 resources: res_1 and res_2 share the same combo, res_3 is different
const db = {
resource: {
findMany: vi.fn().mockResolvedValue([
{ id: "res_1", federalState: "BY", countryId: "de", country: { code: "DE" }, metroCityId: null, metroCity: null },
{ id: "res_2", federalState: "BY", countryId: "de", country: { code: "DE" }, metroCityId: null, metroCity: null },
{ id: "res_3", federalState: "BE", countryId: "de", country: { code: "DE" }, metroCityId: null, metroCity: null },
]),
},
user: {
findUnique: vi.fn().mockResolvedValue({ id: "admin_1" }),
},
vacation: {
findMany: vi.fn().mockResolvedValue([]),
createMany: vi.fn().mockResolvedValue({ count: 0 }),
},
holidayCalendar: {
findMany: vi.fn().mockResolvedValue([]),
},
};
const caller = createAdminCaller(db);
const result = await caller.batchCreatePublicHolidays({ year: 2026 });
// 3 resources, 2 unique combos → holiday calendars queried twice, not 3 times
expect(db.holidayCalendar.findMany).toHaveBeenCalledTimes(2);
expect(result.resources).toBe(3);
});
it("skips already existing holidays", async () => {
@@ -1485,8 +1521,15 @@ describe("vacation router", () => {
findUnique: vi.fn().mockResolvedValue({ id: "admin_1" }),
},
vacation: {
findFirst: vi.fn().mockResolvedValue({ id: "existing" }),
create: vi.fn(),
// Return one entry per day of 2026 so every holiday date is "already existing"
findMany: vi.fn().mockResolvedValue(
Array.from({ length: 365 }, (_, i) => {
const d = new Date(Date.UTC(2026, 0, 1));
d.setUTCDate(d.getUTCDate() + i);
return { resourceId: "res_1", startDate: d };
}),
),
createMany: vi.fn(),
},
};
@@ -1497,7 +1540,7 @@ describe("vacation router", () => {
});
expect(result.created).toBe(0);
expect(db.vacation.create).not.toHaveBeenCalled();
expect(db.vacation.createMany).not.toHaveBeenCalled();
});
it("forbids non-admin users", async () => {
packages/api/src/router/scenario-apply.ts
+44 -42
View File
@@ -22,56 +22,58 @@ export async function applyProjectScenario(
const created: string[] = [];
for (const change of changes) {
if (change.remove && change.assignmentId) {
await db.assignment.update({
where: { id: change.assignmentId },
data: { status: "CANCELLED" },
});
continue;
}
await db.$transaction(async (tx) => {
for (const change of changes) {
if (change.remove && change.assignmentId) {
await tx.assignment.update({
where: { id: change.assignmentId },
data: { status: "CANCELLED" },
});
continue;
}
if (change.assignmentId) {
await db.assignment.update({
where: { id: change.assignmentId },
if (change.assignmentId) {
await tx.assignment.update({
where: { id: change.assignmentId },
data: {
startDate: change.startDate,
endDate: change.endDate,
hoursPerDay: change.hoursPerDay,
...(change.resourceId ? { resourceId: change.resourceId } : {}),
...(change.roleId ? { roleId: change.roleId } : {}),
},
});
created.push(change.assignmentId);
continue;
}
if (!change.resourceId) {
continue;
}
const resource = await tx.resource.findUnique({
where: { id: change.resourceId },
select: { lcrCents: true },
});
const dailyCostCents = Math.round((resource?.lcrCents ?? 0) * change.hoursPerDay);
const newAssignment = await tx.assignment.create({
data: {
projectId,
resourceId: change.resourceId,
...(change.roleId ? { roleId: change.roleId } : {}),
startDate: change.startDate,
endDate: change.endDate,
hoursPerDay: change.hoursPerDay,
...(change.resourceId ? { resourceId: change.resourceId } : {}),
...(change.roleId ? { roleId: change.roleId } : {}),
percentage: 100,
dailyCostCents,
status: "PROPOSED",
metadata: {},
},
});
created.push(change.assignmentId);
continue;
created.push(newAssignment.id);
}
if (!change.resourceId) {
continue;
}
const resource = await db.resource.findUnique({
where: { id: change.resourceId },
select: { lcrCents: true },
});
const dailyCostCents = Math.round((resource?.lcrCents ?? 0) * change.hoursPerDay);
const newAssignment = await db.assignment.create({
data: {
projectId,
resourceId: change.resourceId,
...(change.roleId ? { roleId: change.roleId } : {}),
startDate: change.startDate,
endDate: change.endDate,
hoursPerDay: change.hoursPerDay,
percentage: 100,
dailyCostCents,
status: "PROPOSED",
metadata: {},
},
});
created.push(newAssignment.id);
}
});
void createAuditEntry({
db,
packages/api/src/router/vacation-management-procedures.ts
+84 -66
View File
@@ -5,7 +5,7 @@ import { VACATION_BALANCE_TYPES } from "../lib/vacation-deduction-snapshot.js";
import { z } from "zod";
import { findUniqueOrThrow } from "../db/helpers.js";
import { RESOURCE_BRIEF_SELECT } from "../db/selects.js";
import { createAuditEntry } from "../lib/audit.js";
import { makeAuditLogger } from "../lib/audit-helpers.js";
import { checkBatchVacationConflicts, checkVacationConflicts } from "../lib/vacation-conflicts.js";
import { emitVacationUpdated } from "../sse/event-bus.js";
import { adminProcedure, managerProcedure, protectedProcedure } from "../trpc.js";
@@ -20,6 +20,7 @@ import {
notifyVacationStatusInBackground,
} from "./vacation-side-effects.js";
import {
approvableVacationStatuses,
assertVacationApprovable,
assertVacationCancelable,
assertVacationRejectable,
@@ -73,6 +74,7 @@ export const vacationManagementProcedures = {
});
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
const conflictResult = await checkVacationConflicts(
// eslint-disable-next-line @typescript-eslint/no-explicit-any
ctx.db as any,
@@ -80,27 +82,29 @@ export const vacationManagementProcedures = {
userRecord?.id,
);
const updated = await ctx.db.vacation.update({
where: { id: input.id },
const approveResult = await ctx.db.vacation.updateMany({
where: { id: input.id, status: { in: approvableVacationStatuses as VacationStatus[] } },
data: buildApprovedVacationUpdateData({
deductionSnapshotWriteData,
approvedById: userRecord?.id,
approvedAt: new Date(),
}),
});
if (approveResult.count === 0) {
throw new TRPCError({ code: "CONFLICT", message: "Vacation was already processed by another request" });
}
const updated = await ctx.db.vacation.findUniqueOrThrow({ where: { id: input.id } });
emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: updated.id,
entityName: `Vacation ${updated.id}`,
action: "UPDATE",
...(userRecord?.id ? { userId: userRecord.id } : {}),
before: existing as unknown as Record<string, unknown>,
after: updated as unknown as Record<string, unknown>,
source: "ui",
summary: `Approved vacation (was ${existing.status})`,
});
@@ -129,28 +133,31 @@ export const vacationManagementProcedures = {
);
assertVacationRejectable(existing.status);
const updated = await ctx.db.vacation.update({
where: { id: input.id },
const rejectResult = await ctx.db.vacation.updateMany({
where: { id: input.id, status: VacationStatus.PENDING },
data: buildRejectedVacationUpdateData({
rejectionReason: input.rejectionReason,
}),
});
if (rejectResult.count === 0) {
throw new TRPCError({ code: "CONFLICT", message: "Vacation was already processed by another request" });
}
const updated = await ctx.db.vacation.findUniqueOrThrow({ where: { id: input.id } });
emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
await completeVacationApprovalTasks(ctx.db, input.id, userRecord?.id);
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: updated.id,
entityName: `Vacation ${updated.id}`,
action: "UPDATE",
...(userRecord?.id ? { userId: userRecord.id } : {}),
before: existing as unknown as Record<string, unknown>,
after: updated as unknown as Record<string, unknown>,
source: "ui",
summary: `Rejected vacation${input.rejectionReason ? `: ${input.rejectionReason}` : ""}`,
});
@@ -169,6 +176,7 @@ export const vacationManagementProcedures = {
.input(z.object({ ids: z.array(z.string()).min(1).max(100) }))
.mutation(async ({ ctx, input }) => {
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
const vacations = await ctx.db.vacation.findMany({
where: { id: { in: input.ids }, status: VacationStatus.PENDING },
@@ -193,39 +201,53 @@ export const vacationManagementProcedures = {
userRecord?.id,
);
for (const vacation of vacations) {
const deductionSnapshotWriteData = await buildVacationApprovalWriteData(ctx.db, {
resourceId: vacation.resourceId,
type: vacation.type,
startDate: vacation.startDate,
endDate: vacation.endDate,
isHalfDay: vacation.isHalfDay,
});
const updated = await ctx.db.vacation.update({
where: { id: vacation.id },
data: buildApprovedVacationUpdateData({
deductionSnapshotWriteData,
approvedById: userRecord?.id,
approvedAt: new Date(),
// Pre-compute read-only deduction data before opening the transaction
const approvalPayloads = await Promise.all(
vacations.map(async (vacation) => ({
vacation,
writeData: await buildVacationApprovalWriteData(ctx.db, {
resourceId: vacation.resourceId,
type: vacation.type,
startDate: vacation.startDate,
endDate: vacation.endDate,
isHalfDay: vacation.isHalfDay,
}),
});
})),
);
emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
notifyVacationStatusInBackground(ctx.db, updated.id, updated.resourceId, VacationStatus.APPROVED);
// Execute all writes atomically, collect side-effect payloads
const approvedNow: Array<{ id: string; resourceId: string; status: typeof VacationStatus.APPROVED }> = [];
const approvedAt = new Date();
void createAuditEntry({
db: ctx.db,
await ctx.db.$transaction(async (tx) => {
approvedNow.length = 0;
for (const { vacation, writeData } of approvalPayloads) {
const updated = await tx.vacation.update({
where: { id: vacation.id },
data: buildApprovedVacationUpdateData({
deductionSnapshotWriteData: writeData,
approvedById: userRecord?.id,
approvedAt,
}),
});
// eslint-disable-next-line @typescript-eslint/no-explicit-any
await completeVacationApprovalTasks(tx as any, updated.id, userRecord?.id);
approvedNow.push({ id: updated.id, resourceId: updated.resourceId, status: VacationStatus.APPROVED });
}
});
// Side effects — dispatched after the transaction commits
for (const entry of approvedNow) {
emitVacationUpdated(entry);
notifyVacationStatusInBackground(ctx.db, entry.id, entry.resourceId, VacationStatus.APPROVED);
audit({
entityType: "Vacation",
entityId: updated.id,
entityName: `Vacation ${updated.id}`,
entityId: entry.id,
entityName: `Vacation ${entry.id}`,
action: "UPDATE",
...(userRecord?.id ? { userId: userRecord.id } : {}),
after: updated as unknown as Record<string, unknown>,
source: "ui",
after: entry as unknown as Record<string, unknown>,
summary: "Batch approved vacation",
});
await completeVacationApprovalTasks(ctx.db, updated.id, userRecord?.id);
}
const warnings: string[] = [];
@@ -245,6 +267,7 @@ export const vacationManagementProcedures = {
)
.mutation(async ({ ctx, input }) => {
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
const vacations = await ctx.db.vacation.findMany({
where: { id: { in: input.ids }, status: VacationStatus.PENDING },
@@ -268,15 +291,12 @@ export const vacationManagementProcedures = {
input.rejectionReason,
);
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: vacation.id,
entityName: `Vacation ${vacation.id}`,
action: "UPDATE",
...(userRecord?.id ? { userId: userRecord.id } : {}),
after: { status: VacationStatus.REJECTED, rejectionReason: input.rejectionReason } as unknown as Record<string, unknown>,
source: "ui",
summary: `Batch rejected vacation${input.rejectionReason ? `: ${input.rejectionReason}` : ""}`,
});
@@ -296,6 +316,7 @@ export const vacationManagementProcedures = {
assertVacationCancelable(existing.status);
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
if (!userRecord) {
throw new TRPCError({ code: "UNAUTHORIZED" });
}
@@ -325,31 +346,32 @@ export const vacationManagementProcedures = {
typeof existing.deductedDays === "number" &&
existing.deductedDays > 0;
const updated = await ctx.db.vacation.update({
where: { id: input.id },
data: { status: VacationStatus.CANCELLED },
});
if (shouldReverseEntitlement) {
const year = existing.startDate.getFullYear();
await ctx.db.vacationEntitlement.updateMany({
where: { resourceId: existing.resourceId, year },
data: { usedDays: { decrement: existing.deductedDays as number } },
const updated = await ctx.db.$transaction(async (tx) => {
const cancelledVacation = await tx.vacation.update({
where: { id: input.id },
data: { status: VacationStatus.CANCELLED },
});
}
if (shouldReverseEntitlement) {
const year = existing.startDate.getFullYear();
await tx.vacationEntitlement.updateMany({
where: { resourceId: existing.resourceId, year },
data: { usedDays: { decrement: existing.deductedDays as number } },
});
}
return cancelledVacation;
});
emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: updated.id,
entityName: `Vacation ${updated.id}`,
action: "UPDATE",
userId: userRecord.id,
before: existing as unknown as Record<string, unknown>,
after: updated as unknown as Record<string, unknown>,
source: "ui",
summary: `Cancelled vacation (was ${existing.status})`,
});
@@ -377,6 +399,7 @@ export const vacationManagementProcedures = {
if (!adminUser) {
throw new TRPCError({ code: "UNAUTHORIZED" });
}
const audit = makeAuditLogger(ctx.db, adminUser.id);
const { created, holidays, resources } = await batchCreatePublicHolidayVacations(
ctx.db,
@@ -384,15 +407,12 @@ export const vacationManagementProcedures = {
adminUser.id,
);
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: `public-holidays-${input.year}`,
entityName: `Public Holidays ${input.year}${input.federalState ? ` (${input.federalState})` : ""}`,
action: "CREATE",
userId: adminUser.id,
after: { created, holidays, resources, year: input.year, federalState: input.federalState } as unknown as Record<string, unknown>,
source: "ui",
summary: `Batch created ${created} public holidays for ${resources} resources (${input.year})`,
});
@@ -408,6 +428,7 @@ export const vacationManagementProcedures = {
);
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
if (!userRecord) {
throw new TRPCError({ code: "UNAUTHORIZED" });
}
@@ -428,16 +449,13 @@ export const vacationManagementProcedures = {
emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: updated.id,
entityName: `Vacation ${updated.id}`,
action: "UPDATE",
userId: userRecord.id,
before: existing as unknown as Record<string, unknown>,
after: updated as unknown as Record<string, unknown>,
source: "ui",
summary: `Updated vacation status to ${input.status}`,
});