Add SppListing content management PUT endpoint (Phase 6)

Allows SPP admin UI to update listing content — translated texts via
Mobility, price, curated photo order, highlighted features, template,
settings, and arbitrary extra_data. Validates photo IDs belong to the
same property.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: etewiah

app/controllers/api_manage/v1/spp_listings_controller.rb

@@ -8,10 +8,13 @@ module V1
     #   POST /api_manage/v1/:locale/properties/:id/spp_publish   — Publish an SPP listing
     #   POST /api_manage/v1/:locale/properties/:id/spp_unpublish — Unpublish an SPP listing
     #   GET  /api_manage/v1/:locale/properties/:id/spp_leads     — Retrieve property enquiries
+    #   PUT  /api_manage/v1/:locale/spp_listings/:id             — Update SPP listing content
     #
     class SppListingsController < BaseController
       before_action :require_user!
-      before_action :set_property
+      before_action :set_property, only: %i[publish unpublish leads]
+      before_action :set_spp_listing, only: %i[update]
+      before_action :setup_locale, only: %i[update]
 
       # POST /api_manage/v1/:locale/properties/:id/spp_publish
       def publish
@@ -78,6 +81,24 @@ def leads
         render json: messages.map { |msg| lead_json(msg) }
       end
 
+      # PUT /api_manage/v1/:locale/spp_listings/:id
+      def update
+        if spp_listing_params.key?(:photo_ids_ordered)
+          return unless valid_photo_ids?
+        end
+
+        attrs = spp_listing_params.to_h
+        # Ensure photo IDs are stored as integers in JSONB
+        if attrs.key?('photo_ids_ordered')
+          attrs['photo_ids_ordered'] = attrs['photo_ids_ordered'].map(&:to_s).reject(&:blank?).map(&:to_i)
+        end
+
+        @spp_listing.assign_attributes(attrs)
+        @spp_listing.save!
+
+        render json: spp_listing_json(@spp_listing)
+      end
+
       private
 
       def set_property
@@ -104,6 +125,73 @@ def lead_json(message)
           isNew: !message.read? || message.created_at > 48.hours.ago
         }
       end
+
+      def set_spp_listing
+        @spp_listing = Pwb::SppListing
+          .joins(:realty_asset)
+          .where(pwb_realty_assets: { website_id: current_website.id })
+          .find(params[:id])
+      end
+
+      def setup_locale
+        locale = params[:locale] || I18n.default_locale
+        I18n.locale = locale.to_sym
+      end
+
+      def spp_listing_params
+        params.permit(
+          :title, :description, :seo_title, :meta_description,
+          :price_cents, :price_currency,
+          :template,
+          photo_ids_ordered: [],
+          highlighted_features: [],
+          spp_settings: {},
+          extra_data: {}
+        )
+      end
+
+      def valid_photo_ids?
+        ids = spp_listing_params[:photo_ids_ordered]
+        return true if ids.blank?
+
+        # Filter out blanks that can come from empty array serialization
+        int_ids = ids.map(&:to_s).reject(&:blank?).map(&:to_i)
+        return true if int_ids.empty?
+
+        valid_ids = @spp_listing.realty_asset.prop_photos.pluck(:id)
+        invalid = int_ids - valid_ids
+        return true if invalid.empty?
+
+        render json: {
+          success: false,
+          error: 'Invalid photo IDs',
+          message: "Photo IDs #{invalid.join(', ')} do not belong to this property"
+        }, status: :unprocessable_entity
+        false
+      end
+
+      def spp_listing_json(listing)
+        {
+          id: listing.id,
+          listingType: listing.listing_type,
+          title: listing.title,
+          description: listing.description,
+          seoTitle: listing.seo_title,
+          metaDescription: listing.meta_description,
+          priceCents: listing.price_cents,
+          priceCurrency: listing.price_currency,
+          photoIdsOrdered: listing.photo_ids_ordered,
+          highlightedFeatures: listing.highlighted_features,
+          template: listing.template,
+          sppSettings: listing.spp_settings,
+          extraData: listing.extra_data,
+          active: listing.active,
+          visible: listing.visible,
+          liveUrl: listing.live_url,
+          publishedAt: listing.published_at&.iso8601,
+          updatedAt: listing.updated_at.iso8601
+        }
+      end
     end
   end
 end

config/routes.rb

@@ -843,6 +843,9 @@
           end
         end
 
+        # SPP listing content management (standalone resource)
+        resources :spp_listings, only: [:update], controller: 'spp_listings'
+
         # AI-powered social media content generation
         namespace :ai do
           resources :social_posts, only: [:index, :show, :create, :update, :destroy] do

spec/requests/api_manage/v1/spp_listings_update_spec.rb

@@ -0,0 +1,244 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'ApiManage::V1::SppListings#update', type: :request do
+  let!(:website) { create(:pwb_website) }
+  let!(:user) { create(:pwb_user, :admin, website: website) }
+  let!(:property) { create(:pwb_realty_asset, website: website) }
+  let!(:spp_listing) do
+    create(:pwb_spp_listing, :published,
+           realty_asset: property,
+           listing_type: 'sale')
+  end
+
+  let(:auth_headers) do
+    {
+      'HTTP_HOST' => "#{website.subdomain}.localhost",
+      'X-User-Email' => user.email
+    }
+  end
+
+  let(:endpoint) { "/api_manage/v1/en/spp_listings/#{spp_listing.id}" }
+
+  before do
+    ActsAsTenant.current_tenant = website
+  end
+
+  after do
+    ActsAsTenant.current_tenant = nil
+  end
+
+  # ============================================
+  # Basic Content Updates
+  # ============================================
+  describe 'updating translated fields' do
+    it 'updates title via Mobility in the specified locale' do
+      put endpoint, params: { title: 'Your Dream Mediterranean Retreat' }, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      json = response.parsed_body
+      expect(json['title']).to eq('Your Dream Mediterranean Retreat')
+
+      spp_listing.reload
+      Mobility.with_locale(:en) do
+        expect(spp_listing.title).to eq('Your Dream Mediterranean Retreat')
+      end
+    end
+
+    it 'stores translations in the correct locale' do
+      put "/api_manage/v1/es/spp_listings/#{spp_listing.id}",
+          params: { title: 'Tu Refugio Mediterraneo' },
+          headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+
+      spp_listing.reload
+      Mobility.with_locale(:es) do
+        expect(spp_listing.title).to eq('Tu Refugio Mediterraneo')
+      end
+    end
+
+    it 'updates description and SEO fields' do
+      put endpoint, params: {
+        description: 'Imagine waking up to the sound of waves...',
+        seo_title: 'Luxury Biarritz Apartment',
+        meta_description: 'Stunning 3-bed apartment in Biarritz...'
+      }, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      json = response.parsed_body
+      expect(json['description']).to eq('Imagine waking up to the sound of waves...')
+      expect(json['seoTitle']).to eq('Luxury Biarritz Apartment')
+      expect(json['metaDescription']).to eq('Stunning 3-bed apartment in Biarritz...')
+    end
+  end
+
+  # ============================================
+  # Price Updates
+  # ============================================
+  describe 'updating price' do
+    it 'updates price_cents and price_currency' do
+      put endpoint, params: { price_cents: 550_000_00, price_currency: 'USD' }, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      json = response.parsed_body
+      expect(json['priceCents']).to eq(550_000_00)
+      expect(json['priceCurrency']).to eq('USD')
+    end
+  end
+
+  # ============================================
+  # Photo IDs Ordered
+  # ============================================
+  describe 'updating photo_ids_ordered' do
+    let!(:photo1) { create(:pwb_prop_photo, realty_asset: property, sort_order: 1) }
+    let!(:photo2) { create(:pwb_prop_photo, realty_asset: property, sort_order: 2) }
+    let!(:photo3) { create(:pwb_prop_photo, realty_asset: property, sort_order: 3) }
+
+    it 'accepts valid photo IDs belonging to the same property' do
+      put endpoint, params: { photo_ids_ordered: [photo3.id, photo1.id] }, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      json = response.parsed_body
+      expect(json['photoIdsOrdered']).to eq([photo3.id, photo1.id])
+    end
+
+    it 'rejects photo IDs from a different property' do
+      other_property = create(:pwb_realty_asset, website: website)
+      other_photo = create(:pwb_prop_photo, realty_asset: other_property)
+
+      put endpoint, params: { photo_ids_ordered: [photo1.id, other_photo.id] }, headers: auth_headers
+
+      expect(response).to have_http_status(:unprocessable_entity)
+      json = response.parsed_body
+      expect(json['error']).to eq('Invalid photo IDs')
+      expect(json['message']).to include(other_photo.id.to_s)
+    end
+
+    it 'accepts an empty array to reset to default order' do
+      spp_listing.update!(photo_ids_ordered: [photo2.id, photo1.id])
+
+      put endpoint, params: { photo_ids_ordered: [] }, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      json = response.parsed_body
+      expect(json['photoIdsOrdered']).to eq([])
+    end
+  end
+
+  # ============================================
+  # Highlighted Features
+  # ============================================
+  describe 'updating highlighted_features' do
+    it 'accepts an array of feature keys' do
+      put endpoint, params: { highlighted_features: %w[sea_views private_pool parking] }, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      json = response.parsed_body
+      expect(json['highlightedFeatures']).to eq(%w[sea_views private_pool parking])
+    end
+  end
+
+  # ============================================
+  # Template and Settings
+  # ============================================
+  describe 'updating template and spp_settings' do
+    it 'updates the template' do
+      put endpoint, params: { template: 'modern' }, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      json = response.parsed_body
+      expect(json['template']).to eq('modern')
+    end
+
+    it 'updates spp_settings' do
+      put endpoint, params: { spp_settings: { color_scheme: 'dark', layout: 'full-width' } }, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      json = response.parsed_body
+      expect(json['sppSettings']).to eq({ 'color_scheme' => 'dark', 'layout' => 'full-width' })
+    end
+  end
+
+  # ============================================
+  # Extra Data (Arbitrary JSON)
+  # ============================================
+  describe 'updating extra_data' do
+    it 'accepts arbitrary JSON' do
+      extra = {
+        agent_name: 'Marie Dupont',
+        agent_phone: '+33 6 12 34 56 78',
+        video_tour_url: 'https://youtube.com/watch?v=abc123'
+      }
+
+      put endpoint, params: { extra_data: extra }, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      json = response.parsed_body
+      expect(json['extraData']['agent_name']).to eq('Marie Dupont')
+      expect(json['extraData']['video_tour_url']).to eq('https://youtube.com/watch?v=abc123')
+    end
+  end
+
+  # ============================================
+  # Response Format
+  # ============================================
+  describe 'response format' do
+    it 'returns the full SppListing JSON' do
+      put endpoint, params: { title: 'Updated Title' }, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      json = response.parsed_body
+      expect(json).to include(
+        'id', 'listingType', 'title', 'description',
+        'seoTitle', 'metaDescription', 'priceCents', 'priceCurrency',
+        'photoIdsOrdered', 'highlightedFeatures', 'template',
+        'sppSettings', 'extraData', 'active', 'visible',
+        'liveUrl', 'publishedAt', 'updatedAt'
+      )
+    end
+  end
+
+  # ============================================
+  # Authentication & Authorization
+  # ============================================
+  describe 'authentication' do
+    it 'returns 401 without authentication' do
+      put endpoint, params: { title: 'Test' },
+                    headers: { 'HTTP_HOST' => "#{website.subdomain}.localhost" }
+
+      expect(response).to have_http_status(:unauthorized)
+    end
+  end
+
+  # ============================================
+  # Tenant Isolation
+  # ============================================
+  describe 'tenant isolation' do
+    it 'returns 404 for SppListings belonging to other tenants' do
+      other_website = create(:pwb_website, subdomain: 'other-tenant')
+      other_property = create(:pwb_realty_asset, website: other_website)
+      other_listing = create(:pwb_spp_listing, :published, realty_asset: other_property)
+
+      put "/api_manage/v1/en/spp_listings/#{other_listing.id}",
+          params: { title: 'Hijack attempt' },
+          headers: auth_headers
+
+      expect(response).to have_http_status(:not_found)
+    end
+  end
+
+  # ============================================
+  # Not Found
+  # ============================================
+  describe 'non-existent listing' do
+    it 'returns 404 for unknown IDs' do
+      put '/api_manage/v1/en/spp_listings/00000000-0000-0000-0000-000000000000',
+          params: { title: 'Test' },
+          headers: auth_headers
+
+      expect(response).to have_http_status(:not_found)
+    end
+  end
+end