Implemented Incident Management API with RBAC and Attachment Support

app-backend/src/config/multer.js

@@ -23,7 +23,7 @@ const storage = multer.diskStorage({
 
 // accept images only + 5MB limit
 const fileFilter = (_req, file, cb) => {
-    const ok = ['image/jpeg', 'image/png', 'image/webp', 'image/heic'].includes(file.mimetype);
+    const ok = ['image/jpeg', 'image/png', 'image/webp', 'image/heic','application/pdf'  ].includes(file.mimetype);
     cb(ok ? null : new Error('Only image files are allowed'), ok);
 };
 

app-backend/src/controllers/incident.controller.js

@@ -0,0 +1,282 @@
+import Incident from "../models/Incident.js";
+import Shift from "../models/Shift.js";
+import { ErrorResponse } from "../utils/errorResponse.js";
+import { ACTIONS } from "../middleware/logger.js";
+import path from "path";
+import { fileURLToPath } from "url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// CREATE INCIDENT
+export const createIncident = async (req, res, next) => {
+  try {
+    const { shiftId, severity, description } = req.body;
+
+    if (!shiftId || !severity || !description) {
+      return next(new ErrorResponse("All fields are required", 400));
+    }
+
+    const shift = await Shift.findById(shiftId);
+    if (!shift) {
+      return next(new ErrorResponse("Shift not found", 404));
+    }
+
+    if (String(shift.acceptedBy) !== String(req.user._id)) {
+      return next(new ErrorResponse("Not assigned to this shift", 403));
+    }
+
+    const incident = await Incident.create({
+      shiftId,
+      guardId: req.user._id,
+      severity,
+      description,
+    });
+
+    await req.audit.log(req.user._id, ACTIONS.INCIDENT_CREATED, {
+      incidentId: incident._id,
+    });
+
+    res.status(201).json({ success: true, data: incident });
+  } catch (err) {
+    next(err);
+  }
+};
+
+// UPDATE INCIDENT
+export const updateIncident = async (req, res, next) => {
+  try {
+    const incident = await Incident.findById(req.params.id);
+
+    if (!incident || incident.isDeleted) {
+      return next(new ErrorResponse("Incident not found", 404));
+    }
+
+    let allowedFields = [];
+
+    if (req.user.role === "guard") {
+      // guards can only update their own incidents
+      if (String(incident.guardId) !== String(req.user._id)) {
+        return next(new ErrorResponse("Not authorized", 403));
+      }
+
+      // guards should only update limited fields
+      allowedFields = ["description"];
+    } else if (req.user.role === "employer") {
+      // employers can only update incidents belonging to their own shifts
+      const shift = await Shift.findById(incident.shiftId);
+
+      if (!shift || String(shift.createdBy) !== String(req.user._id)) {
+        return next(new ErrorResponse("Not authorized", 403));
+      }
+
+      allowedFields = ["description", "status"];
+    } else if (req.user.role === "admin") {
+      allowedFields = ["severity", "description", "status"];
+    } else {
+      return next(new ErrorResponse("Not authorized", 403));
+    }
+
+    allowedFields.forEach((field) => {
+      if (req.body[field] !== undefined) {
+        incident[field] = req.body[field];
+      }
+    });
+
+    await incident.save();
+
+    await req.audit.log(req.user._id, ACTIONS.INCIDENT_UPDATED, {
+      incidentId: incident._id,
+      updatedFields: Object.keys(req.body).filter((field) =>
+        allowedFields.includes(field)
+      ),
+    });
+
+    res.json({ success: true, data: incident });
+  } catch (err) {
+    next(err);
+  }
+};
+
+// GET SINGLE INCIDENT
+export const getIncident = async (req, res, next) => {
+  try {
+    const incident = await Incident.findById(req.params.id)
+      .populate("shiftId")
+      .populate("guardId");
+
+    if (!incident || incident.isDeleted) {
+      return next(new ErrorResponse("Incident not found", 404));
+    }
+
+    // Guard access
+    if (
+      req.user.role === "guard" &&
+      String(incident.guardId._id) !== String(req.user._id)
+    ) {
+      return next(new ErrorResponse("Not authorized", 403));
+    }
+
+    // Employer access
+    if (req.user.role === "employer") {
+      const shift = await Shift.findById(incident.shiftId._id);
+      if (String(shift.createdBy) !== String(req.user._id)) {
+        return next(new ErrorResponse("Not authorized", 403));
+      }
+    }
+
+    res.json({ success: true, data: incident });
+  } catch (err) {
+    next(err);
+  }
+};
+
+// LIST INCIDENTS (WITH FILTERS)
+export const getIncidents = async (req, res, next) => {
+  try {
+    const { shiftId, guardId, severity, status, startDate, endDate } =
+      req.query;
+
+    let query = { isDeleted: false };
+
+    if (shiftId) query.shiftId = shiftId;
+    if (guardId) query.guardId = guardId;
+    if (severity) query.severity = severity;
+    if (status) query.status = status;
+
+    if (startDate || endDate) {
+      query.createdAt = {};
+      if (startDate) query.createdAt.$gte = new Date(startDate);
+      if (endDate) query.createdAt.$lte = new Date(endDate);
+    }
+
+    // RBAC filtering
+    if (req.user.role === "guard") {
+      query.guardId = req.user._id;
+    }
+
+    if (req.user.role === "employer") {
+      const shifts = await Shift.find({ createdBy: req.user._id }).select(
+        "_id"
+      );
+      query.shiftId = { $in: shifts.map((s) => s._id) };
+    }
+
+    const incidents = await Incident.find(query)
+      .populate("shiftId")
+      .populate("guardId");
+
+    res.json({ success: true, count: incidents.length, data: incidents });
+  } catch (err) {
+    next(err);
+  }
+};
+
+// SOFT DELETE
+export const deleteIncident = async (req, res, next) => {
+  try {
+    const incident = await Incident.findById(req.params.id);
+
+    if (!incident || incident.isDeleted) {
+      return next(new ErrorResponse("Incident not found", 404));
+    }
+
+    incident.isDeleted = true;
+    incident.deletedAt = new Date();
+    incident.deletedBy = req.user._id;
+
+    await incident.save();
+
+    await req.audit.log(req.user._id, ACTIONS.INCIDENT_DELETED, {
+      incidentId: incident._id,
+    });
+
+    res.json({ success: true, message: "Incident deleted" });
+  } catch (err) {
+    next(err);
+  }
+};
+
+// UPLOAD ATTACHMENT
+export const uploadAttachment = async (req, res, next) => {
+  try {
+    const incident = await Incident.findById(req.params.id);
+
+    if (!incident || incident.isDeleted) {
+      return next(new ErrorResponse("Incident not found", 404));
+    }
+
+    // guard can upload only to their own incident
+    if (req.user.role === "guard") {
+      if (String(incident.guardId) !== String(req.user._id)) {
+        return next(new ErrorResponse("Not authorized", 403));
+      }
+    }
+
+    // employer can upload only to incidents on their own shifts
+    if (req.user.role === "employer") {
+      const shift = await Shift.findById(incident.shiftId);
+
+      if (!shift || String(shift.createdBy) !== String(req.user._id)) {
+        return next(new ErrorResponse("Not authorized", 403));
+      }
+    }
+
+    // any non-admin role outside the above is not allowed
+    if (!["guard", "employer", "admin"].includes(req.user.role)) {
+      return next(new ErrorResponse("Not authorized", 403));
+    }
+
+    if (!req.file) {
+      return next(new ErrorResponse("No file uploaded", 400));
+    }
+
+    incident.attachments.push({
+      fileName: req.file.filename,
+      fileUrl: `/uploads/${req.file.filename}`,
+    });
+
+    await incident.save();
+
+    res.json({ success: true, data: incident });
+  } catch (err) {
+    next(err);
+  }
+};
+
+
+// GET ATTACHMENT
+export const getAttachment = async (req, res, next) => {
+  try {
+    const incident = await Incident.findById(req.params.id);
+
+    if (!incident || incident.isDeleted) {
+      return next(new ErrorResponse("Incident not found", 404));
+    }
+
+    if (
+      req.user.role === "guard" &&
+      String(incident.guardId) !== String(req.user._id)
+    ) {
+      return next(new ErrorResponse("Not authorized", 403));
+    }
+
+    if (req.user.role === "employer") {
+      const shift = await Shift.findById(incident.shiftId);
+      if (!shift || String(shift.createdBy) !== String(req.user._id)) {
+        return next(new ErrorResponse("Not authorized", 403));
+      }
+    }
+
+    const attachment = incident.attachments.id(req.params.attachmentId);
+
+    if (!attachment) {
+      return next(new ErrorResponse("Attachment not found", 404));
+    }
+
+    const filePath = path.join(__dirname, "..", "uploads", attachment.fileName);
+    res.download(filePath);
+  } catch (err) {
+    next(err);
+  }
+};

app-backend/src/middleware/logger.js

@@ -29,6 +29,10 @@ export const ACTIONS = {
   SITE_CREATED: 'SITE_CREATED',
   SITE_UPDATED: 'SITE_UPDATED',
   SITE_DELETED: 'SITE_DELETED',
+
+  INCIDENT_CREATED: "INCIDENT_CREATED",
+  INCIDENT_UPDATED: "INCIDENT_UPDATED",
+  INCIDENT_DELETED: "INCIDENT_DELETED",
 };
 
 // Middleware to attach audit logging function to req

app-backend/src/middleware/rbac.js

@@ -23,10 +23,11 @@ const DEFAULT_ROLE_PERMISSIONS = {
   [ROLES.SUPER_ADMIN]: ['*'],
   [ROLES.ADMIN]: [
     'user:read', 'user:write', 'user:delete',
-    'shift:read', 'shift:write', 'shift:assign',
-    'payment:read', 'payment:write', 'payment:refund',
-    'branch:read', 'branch:write',
-    'rbac:read', 'rbac:write',
+  'shift:read', 'shift:write', 'shift:assign',
+  'payment:read', 'payment:write', 'payment:refund',
+  'branch:read', 'branch:write',
+  'rbac:read', 'rbac:write',
+  'incident:create', 'incident:view', 'incident:update', 'incident:delete'
   ],
   [ROLES.BRANCH_ADMIN]: [
     'user:read', 'user:write',
@@ -36,10 +37,12 @@ const DEFAULT_ROLE_PERMISSIONS = {
   ],
   [ROLES.EMPLOYER]: [
     'shift:read', 'shift:write',
-    'payment:read', 'payment:write',
+  'payment:read', 'payment:write',
+  'incident:view', 'incident:update'
   ],
   [ROLES.GUARD]: [
     'shift:read', 'shift:accept', 'shift:checkin', 'shift:apply',
+  'incident:create', 'incident:view', 'incident:update'
   ],
   [ROLES.CLIENT]: [
     'shift:read',