feat: another security sweep

api/src/app/routes/suggestions/index.ts

@@ -7,6 +7,7 @@ import type {
   SuggestionEntity,
   CreateSuggestionDto,
   DeclineSuggestionDto,
+  AcceptWithEditsDto,
 } from "@library/shared-types";
 import { adminGuard } from "../../middleware/admin-guard";
 import { bannedGuard } from "../../middleware/banned-guard";
@@ -132,7 +133,7 @@ export default async function (app: FastifyInstance): Promise<void> {
   );
 
   // Accept a suggestion with edits (admin only)
-  app.put<{ Params: { id: string }; Body: any }>(
+  app.put<{ Params: { id: string }; Body: AcceptWithEditsDto }>(
     "/:id/accept-with-edits",
     {
       preHandler: [app.authenticate, adminGuard, app.csrfProtection],
@@ -192,4 +193,36 @@ export default async function (app: FastifyInstance): Promise<void> {
       }
     }
   );
+
+  // Delete a suggestion (owner or admin only, only if unreviewed)
+  app.delete<{ Params: { id: string } }>(
+    "/:id",
+    {
+      preHandler: [app.authenticate, app.csrfProtection],
+    },
+    async (request, reply) => {
+      const { id } = request.params;
+      const userId = request.user.id;
+      const isAdmin = request.user.isAdmin;
+
+      try {
+        const suggestion = await SuggestionService.deleteSuggestion(id, userId, isAdmin);
+
+        await AuditService.logFromRequest(request, {
+          action: AuditAction.ENTRY_DELETE,
+          category: isAdmin ? AuditCategory.ADMIN : AuditCategory.CONTENT,
+          resourceType: "Suggestion",
+          resourceId: suggestion.id,
+          details: `Deleted ${suggestion.entityType} suggestion: ${suggestion.title}`,
+          success: true,
+        });
+
+        reply.send({ success: true });
+      } catch (error) {
+        return reply.badRequest(
+          error instanceof Error ? error.message : "Failed to delete suggestion"
+        );
+      }
+    }
+  );
 }