update: Add Global Search on Header, Add Global Audit log for all actions.

backend/crm/orders_router.py

@@ -1,10 +1,13 @@
 from fastapi import APIRouter, Depends, Query
 from typing import Optional
+from sqlalchemy.ext.asyncio import AsyncSession
 
 from auth.models import TokenPayload
 from auth.dependencies import require_permission
 from crm.models import OrderCreate, OrderUpdate, OrderInDB, OrderListResponse
 from crm import service
+from database.postgres import get_pg_session
+from shared.audit import log_action
 
 router = APIRouter(prefix="/api/crm/customers/{customer_id}/orders", tags=["crm-orders"])
 
@@ -29,27 +32,35 @@ def get_next_order_number(
 
 
 @router.post("/init-negotiations", response_model=OrderInDB, status_code=201)
-def init_negotiations(
+async def init_negotiations(
     customer_id: str,
     body: dict,
     _user: TokenPayload = Depends(require_permission("crm", "edit")),
+    db: AsyncSession = Depends(get_pg_session),
 ):
-    return service.init_negotiations(
+    order = service.init_negotiations(
         customer_id=customer_id,
         title=body.get("title", ""),
         note=body.get("note", ""),
         date=body.get("date"),
         created_by=body.get("created_by", ""),
     )
+    await log_action(db, _user.sub, _user.name or _user.email, "CREATE", "order",
+                     order.id, order.order_number or order.id, meta={"action_detail": "negotiations_started"})
+    return order
 
 
 @router.post("", response_model=OrderInDB, status_code=201)
-def create_order(
+async def create_order(
     customer_id: str,
     body: OrderCreate,
     _user: TokenPayload = Depends(require_permission("crm", "edit")),
+    db: AsyncSession = Depends(get_pg_session),
 ):
-    return service.create_order(customer_id, body)
+    order = service.create_order(customer_id, body)
+    await log_action(db, _user.sub, _user.name or _user.email, "CREATE", "order",
+                     order.id, order.order_number or order.id)
+    return order
 
 
 @router.get("/{order_id}", response_model=OrderInDB)
@@ -62,22 +73,37 @@ def get_order(
 
 
 @router.patch("/{order_id}", response_model=OrderInDB)
-def update_order(
+async def update_order(
     customer_id: str,
     order_id: str,
     body: OrderUpdate,
     _user: TokenPayload = Depends(require_permission("crm", "edit")),
+    db: AsyncSession = Depends(get_pg_session),
 ):
-    return service.update_order(customer_id, order_id, body)
+    old = service.get_order(customer_id, order_id)
+    order = service.update_order(customer_id, order_id, body)
+    action = "STATUS_CHANGE" if body.status is not None else "UPDATE"
+    _SKIP = {"updated_at", "id", "customer_id", "items", "timeline", "discount", "shipping", "payment_status"}
+    changes = {
+        k: {"old": getattr(old, k, None), "new": getattr(order, k, None)}
+        for k in body.model_fields_set
+        if k not in _SKIP and getattr(old, k, None) != getattr(order, k, None)
+    }
+    await log_action(db, _user.sub, _user.name or _user.email, action, "order",
+                     order_id, order.order_number or order_id, changes=changes or None)
+    return order
 
 
 @router.delete("/{order_id}", status_code=204)
-def delete_order(
+async def delete_order(
     customer_id: str,
     order_id: str,
     _user: TokenPayload = Depends(require_permission("crm", "edit")),
+    db: AsyncSession = Depends(get_pg_session),
 ):
     service.delete_order(customer_id, order_id)
+    await log_action(db, _user.sub, _user.name or _user.email, "DELETE", "order",
+                     order_id, order_id)
 
 
 @router.post("/{order_id}/timeline", response_model=OrderInDB)