allow admin to cancel appointments

cjustinobi · cjustinobi · commit bf6741b136b1 · 2026-04-10T16:01:10.000+01:00
diff --git a/src/docs.rs b/src/docs.rs
@@ -52,6 +52,7 @@ use utoipa::openapi::security::{HttpAuthScheme, HttpBuilder, SecurityScheme};
         specialists::add_specialty,
         specialists::list_specialties,
         specialists::upload_license,
+        specialists::get_patient_profile,
         appointments::get_appointments,
         appointments::create_appointment,
         appointments::confirm_appointment,
diff --git a/src/handlers/specialists.rs b/src/handlers/specialists.rs
@@ -354,3 +354,49 @@ pub async fn upload_license(
         url,
     ))
 }
+
+/// Get patient profile for a specialist
+///
+/// Retrieves a patient's full profile including appointments and donation history.
+#[utoipa::path(
+    get,
+    path = "/api/specialists/patients/{id}",
+    responses(
+        (status = 200, body = ApiResponse<crate::admin::dtos::AdminPatientProfileResponse>),
+        (status = 401, description = "Unauthorized"),
+        (status = 403, description = "Forbidden"),
+        (status = 404, description = "User not found"),
+        (status = 500)
+    ),
+    tag = "specialists",
+    security(("bearer_auth" = []))
+)]
+pub async fn get_patient_profile(
+    State(state): State<AppState>,
+    Extension(user): Extension<User>,
+    Path(patient_id): Path<Uuid>,
+) -> Result<ApiResponse<crate::admin::dtos::AdminPatientProfileResponse>, AppError> {
+    use crate::schema::users;
+    use crate::utils::enums::Role;
+
+    if user.role != Role::Specialist {
+        return Err(AppError::Unauthorized("Only specialists can access this".into()));
+    }
+
+    let mut conn = state.pool.get()?;
+
+    // Fetch user to check that they are actually a patient
+    let target_user = users::table
+        .find(patient_id)
+        .select(User::as_select())
+        .first::<User>(&mut conn)
+        .map_err(|_| AppError::NotFound("Patient not found".into()))?;
+
+    match target_user.role {
+        Role::Patient | Role::Donor | Role::PatientDonor => {
+            let profile = crate::admin::dashboard::get_admin_patient_profile(&mut conn, patient_id)?;
+            Ok(ApiResponse::success(profile))
+        }
+        _ => Err(AppError::BadRequest("User is not a patient".into()))
+    }
+}
diff --git a/src/hospitals/appointments.rs b/src/hospitals/appointments.rs
@@ -111,7 +111,17 @@ pub fn reschedule_appointment(
         Role::Donor | Role::Patient | Role::PatientDonor => {
             assert_user_owns_appointment(conn, appointment_id, user.id)?;
         }
-        _ => return Err(AppError::Unauthorized("Invalid role".into())),
+        Role::Specialist => {
+            assert_specialist_owns_appointment(conn, appointment_id, user.id)?;
+        }
+        Role::Admin => {
+            // user role is admin. if role is admin, allow it.
+            appointments::table
+                .filter(appointments::id.eq(appointment_id))
+                .select(Appointment::as_select())
+                .first(conn)
+                .map_err(|_| AppError::NotFound("Appointment not found".into()))?;
+        }
     }
 
     diesel::update(appointments::table.find(appointment_id))
@@ -271,6 +281,14 @@ pub fn cancel_appointment(
         Role::Donor | Role::Patient | Role::PatientDonor => {
             assert_user_owns_appointment(conn, appointment_id, user.id)?
         }
+        Role::Specialist => assert_specialist_owns_appointment(conn, appointment_id, user.id)?,
+        Role::Admin => {
+            appointments::table
+                .filter(appointments::id.eq(appointment_id))
+                .select(Appointment::as_select())
+                .first(conn)
+                .map_err(|_| AppError::NotFound("Appointment not found".into()))?
+        }
         _ => return Err(AppError::Unauthorized("Invalid role".into())),
     };
 
@@ -343,3 +361,16 @@ fn assert_user_owns_appointment(
         .first(conn)
         .map_err(|_| AppError::Unauthorized("Appointment not owned by user".into()))
 }
+
+fn assert_specialist_owns_appointment(
+    conn: &mut PgConnection,
+    appointment_id: Uuid,
+    specialist_id: Uuid,
+) -> Result<Appointment, AppError> {
+    appointments::table
+        .filter(appointments::id.eq(appointment_id))
+        .filter(appointments::specialist_id.eq(specialist_id))
+        .select(Appointment::as_select())
+        .first(conn)
+        .map_err(|_| AppError::Unauthorized("Appointment not owned by specialist".into()))
+}
diff --git a/src/routes/specialists.rs b/src/routes/specialists.rs
@@ -17,4 +17,5 @@ pub fn protected_router() -> Router<AppState> {
         .route("/{id}", put(specialists::update_specialist))
         .route("/specialties", post(specialists::add_specialty))
         .route("/license", post(specialists::upload_license))
+        .route("/patients/{id}", get(specialists::get_patient_profile))
 }

Original file line number	Diff line number	Diff line change
`@@ -17,4 +17,5 @@ pub fn protected_router() -> Router<AppState> {`
`17`	`17`	`.route("/{id}", put(specialists::update_specialist))`
`18`	`18`	`.route("/specialties", post(specialists::add_specialty))`
`19`	`19`	`.route("/license", post(specialists::upload_license))`
	`20`	`+ .route("/patients/{id}", get(specialists::get_patient_profile))`
`20`	`21`	`}`