feat(api): add status-only update endpoints for orders and reservations

Author: sampoyigi

docs/orders.md

@@ -501,6 +501,41 @@ Status: 200 OK
 }
 ```
 
+### Update order status
+
+Updates only the order status. Use this when you only need to change the status (e.g. from pending to completed) without sending other order fields.
+
+Required abilities: `orders:write`
+
+```
+PATCH /api/orders/:order_id/status
+```
+
+#### Parameters
+
+| Key               | Type     | Description                                                                 |
+|-------------------|----------|-----------------------------------------------------------------------------|
+| `status_id`       | `integer`| **Required**. The Unique Identifier of the status to assign to the order.  |
+| `comment`  | `string` | Optional comment to attach to the status change (max 500 characters).     |
+| `notify`         | `boolean`| Optional. Whether to notify the customer of the status change (default: false). |
+
+#### Payload example
+
+```json
+{
+    "status_id": 4,
+    "status_comment": "Order ready for collection"
+}
+```
+
+#### Response
+
+```html
+Status: 200 OK
+```
+
+Returns the updated order object in the same shape as the retrieve/update response (including the new `status_id` and `status_updated_at`).
+
 ### Delete an order
 
 Permanently deletes an order. It cannot be undone.

docs/reservations.md

@@ -364,7 +364,6 @@ PATCH /api/reservations/:reservation_id
 | `email`                | `string`  | The reservation's email address                                                                         |
 | `telephone`            | `string`  | The reservation's telephone number                                                                      |
 | `newsletter`           | `boolean` | Whether the reservation opts into newsletter marketing                                                  |
-| `reservation_group_id` | `integer` | The group the reservation belongs to, if any.                                                           |
 | `status`               | `boolean` | Has the value `true` if the reservation is enabled or the value `false` if the reservation is disabled. |
 | `addresses`            | `array`   | The reservation's addresses, if any                                                                     |
 
@@ -418,6 +417,42 @@ Status: 200 OK
 }
 ```
 
+### Update reservation status
+
+Updates only the reservation status. Use this when you only need to change the status (e.g. from pending to confirmed) without sending other reservation fields. Only staff tokens may update reservation status; customer tokens receive 403.
+
+Required abilities: `reservations:write`
+
+```
+PATCH /api/reservations/:reservation_id/status
+```
+
+#### Parameters
+
+| Key          | Type     | Description                                                                 |
+|--------------|----------|-----------------------------------------------------------------------------|
+| `status_id`  | `integer`| **Required**. The Unique Identifier of the status to assign (must exist in `statuses`). |
+| `comment`    | `string` | Optional comment to attach to the status change (max 500 characters).     |
+| `notify`     | `boolean`| Whether to notify the customer of the status change.                        |
+
+#### Payload example
+
+```json
+{
+    "status_id": 8,
+    "comment": "Table confirmed",
+    "notify": true
+}
+```
+
+#### Response
+
+```html
+Status: 200 OK
+```
+
+Returns the updated reservation object in the same shape as the retrieve/update response (including the new `status_id` and `status_updated_at`).
+
 ### Delete a reservation
 
 Permanently deletes a reservation. It cannot be undone.

src/ApiResources/Orders.php

@@ -6,9 +6,12 @@
 
 use Igniter\Api\ApiResources\Repositories\OrderRepository;
 use Igniter\Api\ApiResources\Requests\OrderRequest;
+use Igniter\Api\ApiResources\Requests\StatusRequest;
 use Igniter\Api\ApiResources\Transformers\OrderTransformer;
 use Igniter\Api\Classes\ApiController;
 use Igniter\Api\Http\Actions\RestController;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 /**
  * Orders API Controller
@@ -26,6 +29,7 @@ class Orders extends ApiController
             'show' => [],
             'update' => [],
             'destroy' => [],
+            'updateStatus' => [],
         ],
         'request' => OrderRequest::class,
         'repository' => OrderRepository::class,
@@ -34,6 +38,30 @@ class Orders extends ApiController
 
     protected string|array $requiredAbilities = ['orders:*'];
 
+    public function updateStatus(StatusRequest $request, int $orderId): Response
+    {
+        throw_if(
+            ($token = $this->getToken()) && $token->isForCustomer(),
+            new AccessDeniedHttpException('Customers are not allowed to update order status.')
+        );
+
+        $data = $request->validated();
+
+        $order = app(OrderRepository::class)->find($orderId);
+
+        $data['staff_id'] = $this->user()->getKey();
+
+        $order->updateOrderStatus((int) $data['status_id'], array_only($data, ['comment', 'notify', 'staff_id']));
+
+        $response = $this->fractal()
+            ->item($order->refresh())
+            ->transformWith(new OrderTransformer)
+            ->withResourceName('orders')
+            ->toArray();
+
+        return response()->json($response);
+    }
+
     public function restAfterSave($model): void
     {
         if ($orderMenus = (array)request()->input('order_menus', [])) {

src/ApiResources/Requests/StatusRequest.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Igniter\Api\ApiResources\Requests;
+
+use Igniter\System\Classes\FormRequest;
+use Override;
+
+class StatusRequest extends FormRequest
+{
+    #[Override]
+    public function attributes(): array
+    {
+        return [
+            'comment' => lang('igniter::admin.statuses.label_comment'),
+            'notify' => lang('igniter::admin.statuses.label_notify_customer'),
+        ];
+    }
+
+    public function rules(): array
+    {
+        return [
+            'status_id' => ['required', 'integer', 'exists:statuses,status_id'],
+            'comment' => ['nullable', 'string', 'max:500'],
+            'notify' => ['nullable', 'boolean'],
+        ];
+    }
+}

src/ApiResources/Reservations.php

@@ -6,9 +6,12 @@
 
 use Igniter\Api\ApiResources\Repositories\ReservationRepository;
 use Igniter\Api\ApiResources\Requests\ReservationRequest;
+use Igniter\Api\ApiResources\Requests\StatusRequest;
 use Igniter\Api\ApiResources\Transformers\ReservationTransformer;
 use Igniter\Api\Classes\ApiController;
 use Igniter\Api\Http\Actions\RestController;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 /**
  * Reservations API Controller
@@ -26,11 +29,36 @@ class Reservations extends ApiController
             'show' => [],
             'update' => [],
             'destroy' => [],
+            'updateStatus' => [],
         ],
         'request' => ReservationRequest::class,
         'repository' => ReservationRepository::class,
         'transformer' => ReservationTransformer::class,
     ];
 
     protected string|array $requiredAbilities = ['reservations:*'];
+
+    public function updateStatus(StatusRequest $request, int $reservationId): Response
+    {
+        throw_if(
+            ($token = $this->getToken()) && $token->isForCustomer(),
+            new AccessDeniedHttpException('Customers are not allowed to update reservation status.')
+        );
+
+        $data = $request->validated();
+
+        $reservation = app(ReservationRepository::class)->find($reservationId);
+
+        $data['staff_id'] = $this->user()->getKey();
+
+        $reservation->addStatusHistory((int) $data['status_id'], array_only($data, ['comment', 'notify', 'staff_id']));
+
+        $response = $this->fractal()
+            ->item($reservation->refresh())
+            ->transformWith(new ReservationTransformer)
+            ->withResourceName('reservations')
+            ->toArray();
+
+        return response()->json($response);
+    }
 }

src/Extension.php

@@ -31,6 +31,7 @@
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Event;
 use Illuminate\Support\Facades\RateLimiter;
+use Illuminate\Support\Facades\Route;
 use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
 use Laravel\Sanctum\Sanctum;
 use Laravel\Sanctum\SanctumServiceProvider;
@@ -70,6 +71,8 @@ public function boot(): void
     {
         $this->configureRateLimiting();
 
+        $this->registerStatusUpdateRoute();
+
         // Register all the available API routes
         ApiManager::registerRoutes();
 
@@ -286,4 +289,16 @@ protected function configureRateLimiting()
     {
         RateLimiter::for('api', fn(Request $request) => Limit::perMinute(60)->by(optional($request->user())->id ?: $request->ip()));
     }
+
+    protected function registerStatusUpdateRoute(): void
+    {
+        Route::middleware(config('igniter-api.middleware'))
+            ->prefix(config('igniter-api.prefix'))
+            ->group(function(): void {
+                Route::patch('orders/{orderId}/status', [Orders::class, 'updateStatus'])
+                    ->name('igniter.api.orders.update_status');
+                Route::patch('reservations/{reservationId}/status', [Reservations::class, 'updateStatus'])
+                    ->name('igniter.api.reservations.update_status');
+            });
+    }
 }

tests/ApiResources/OrdersTest.php

@@ -213,6 +213,58 @@
         ->assertJsonPath('data.attributes.order_type', Location::COLLECTION);
 });
 
+it('updates order status', function(): void {
+    Sanctum::actingAs(User::factory()->create(), ['orders:*']);
+    $order = Order::factory()->create();
+    $newStatus = Status::isForOrder()->first();
+
+    $this
+        ->patch(route('igniter.api.orders.update_status', [$order->getKey()]), [
+            'status_id' => $newStatus->getKey(),
+        ])
+        ->assertOk()
+        ->assertJsonPath('data.id', (string)$order->getKey())
+        ->assertJsonPath('data.attributes.status_id', $newStatus->getKey());
+});
+
+it('updates order status with comment', function(): void {
+    Sanctum::actingAs(User::factory()->create(), ['orders:*']);
+    $order = Order::factory()->create();
+    $newStatus = Status::isForOrder()->first();
+
+    $this
+        ->patch(route('igniter.api.orders.update_status', [$order->getKey()]), [
+            'status_id' => $newStatus->getKey(),
+            'status_comment' => 'Ready for collection',
+        ])
+        ->assertOk()
+        ->assertJsonPath('data.attributes.status_id', $newStatus->getKey());
+});
+
+it('fails to update order status when status_id is missing', function(): void {
+    Sanctum::actingAs(User::factory()->create(), ['orders:*']);
+    $order = Order::factory()->create();
+
+    $this
+        ->patch(route('igniter.api.orders.update_status', [$order->getKey()]), [
+            'status_comment' => 'Comment only',
+        ])
+        ->assertStatus(422);
+});
+
+it('can not update order status as customer', function(): void {
+    $customer = Sanctum::actingAs(Customer::factory()->create(), ['orders:*']);
+    $customer->currentAccessToken()->shouldReceive('isForCustomer')->andReturnTrue();
+    $order = Order::factory()->create();
+    $newStatus = Status::isForOrder()->first();
+
+    $this
+        ->patch(route('igniter.api.orders.update_status', [$order->getKey()]), [
+            'status_id' => $newStatus->getKey(),
+        ])
+        ->assertStatus(403);
+});
+
 it('deletes an order', function(): void {
     Sanctum::actingAs(User::factory()->create(), ['orders:*']);
     $order = Order::factory()->create();

tests/ApiResources/Requests/OrderStatusRequestTest.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Igniter\Api\Tests\ApiResources\Requests;
+
+use Igniter\Api\ApiResources\Requests\StatusRequest;
+
+it('returns correct attribute labels', function(): void {
+    $request = new StatusRequest;
+
+    $attributes = $request->attributes();
+
+    expect($attributes)->toHaveKey('comment', lang('igniter::admin.statuses.label_comment'))
+        ->and($attributes)->toHaveKey('notify', lang('igniter::admin.statuses.label_notify_customer'));
+});
+
+it('returns correct validation rules', function(): void {
+    $request = new StatusRequest;
+
+    $rules = $request->rules();
+
+    expect($rules)->toHaveKey('status_id')
+        ->and($rules)->toHaveKey('comment')
+        ->and($rules)->toHaveKey('notify')
+        ->and($rules['status_id'])->toContain('required', 'integer', 'exists:statuses,status_id')
+        ->and($rules['comment'])->toContain('nullable', 'string', 'max:500')
+        ->and($rules['notify'])->toContain('nullable', 'boolean');
+});