feat(1099): add recipient and report controllers

Payee1099Controller (api/payee-1099): CRUD + TIN reveal, class-level Read gate, method-level Write/Delete overrides — mirrors the HasPermission class+method stacking pattern from ExpensesController. Form1099ReportController (api/form1099-report): boxes, annual summary, and per-recipient detail; read-only, no method-level overrides needed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 17:06:49 -07:00
parent 0a9b82544d
commit 7c5348969b
2 changed files with 69 additions and 0 deletions
@@ -0,0 +1,25 @@
+using Microsoft.AspNetCore.Mvc;
+using ROLAC.API.Authorization;
+using ROLAC.API.Services;
+
+namespace ROLAC.API.Controllers;
+
+[ApiController]
+[Route("api/form1099-report")]
+[HasPermission(Modules.Form1099, PermissionActions.Read)]
+public class Form1099ReportController : ControllerBase
+{
+    private readonly IForm1099ReportService _svc;
+    public Form1099ReportController(IForm1099ReportService svc) => _svc = svc;
+
+    [HttpGet("boxes")]
+    public async Task<IActionResult> Boxes() => Ok(await _svc.GetBoxesAsync());
+
+    [HttpGet("summary")]
+    public async Task<IActionResult> Summary([FromQuery] int taxYear)
+        => Ok(await _svc.GetAnnualSummaryAsync(taxYear));
+
+    [HttpGet("recipient/{payeeId:int}")]
+    public async Task<IActionResult> Recipient(int payeeId, [FromQuery] int taxYear)
+        => await _svc.GetRecipientDetailAsync(payeeId, taxYear) is { } d ? Ok(d) : NotFound();
+}
@@ -0,0 +1,44 @@
+using Microsoft.AspNetCore.Mvc;
+using ROLAC.API.Authorization;
+using ROLAC.API.DTOs.Payee;
+using ROLAC.API.Services;
+
+namespace ROLAC.API.Controllers;
+
+[ApiController]
+[Route("api/payee-1099")]
+[HasPermission(Modules.Form1099, PermissionActions.Read)]
+public class Payee1099Controller : ControllerBase
+{
+    private readonly IPayee1099Service _svc;
+    public Payee1099Controller(IPayee1099Service svc) => _svc = svc;
+
+    [HttpGet]
+    public async Task<IActionResult> GetAll([FromQuery] bool includeInactive = false)
+        => Ok(await _svc.GetAllAsync(includeInactive));
+
+    [HttpGet("{id:int}")]
+    public async Task<IActionResult> GetById(int id)
+        => await _svc.GetByIdAsync(id) is { } dto ? Ok(dto) : NotFound();
+
+    [HttpPost]
+    [HasPermission(Modules.Form1099, PermissionActions.Write)]
+    public async Task<IActionResult> Create([FromBody] SavePayee1099Request r)
+        => Ok(new { id = await _svc.CreateAsync(r) });
+
+    [HttpPut("{id:int}")]
+    [HasPermission(Modules.Form1099, PermissionActions.Write)]
+    public async Task<IActionResult> Update(int id, [FromBody] SavePayee1099Request r)
+    { await _svc.UpdateAsync(id, r); return NoContent(); }
+
+    [HttpDelete("{id:int}")]
+    [HasPermission(Modules.Form1099, PermissionActions.Delete)]
+    public async Task<IActionResult> Delete(int id)
+    { await _svc.DeleteAsync(id); return NoContent(); }
+
+    // Full TIN reveal is gated on Write (a stronger right than Read).
+    [HttpGet("{id:int}/tin")]
+    [HasPermission(Modules.Form1099, PermissionActions.Write)]
+    public async Task<IActionResult> RevealTin(int id)
+        => Ok(new { tin = await _svc.RevealTinAsync(id) });
+}