CLONESAHIBINDEN

FRONTEND GUIDE FOR AI CODING AGENTS - PART 6 - AdminModeration Service

This document is a part of a REST API guide for the clonesahibinden project. It is designed for AI agents that will generate frontend code to consume the project’s backend.

This document provides extensive instruction for the usage of adminModeration

Service Access

AdminModeration service management is handled through service specific base urls.

AdminModeration service may be deployed to the preview server, staging server, or production server. Therefore,it has 3 access URLs. The frontend application must support all deployment environments during development, and the user should be able to select the target API server on the login page (already handled in first part.).

For the adminModeration service, the base URLs are:

Scope

AdminModeration Service Description

Admin and moderation service for logging, approval/denial, banning, role/config management, and audit actions. Orchestrates administrative and moderation business APIs, ensures every critical action is logged for traceability, and enables moderator/admin workflows.

AdminModeration service provides apis and business logic for following data objects in clonesahibinden application. Each data object may be either a central domain of the application data structure or a related helper data object for a central concept. Note that data object concept is equal to table concept in the database, in the service database each data object is represented as a db table scheme and the object instances as table rows.

adminActionLog Data Object: Records every moderation/admin action: who, what, target, reason, metadata, and timestamp. Used for full audit compliance and enables appeals, overrides, and reporting. Immutable except for soft delete.

AdminModeration Service Frontend Description By The Backend Architect

This service exposes moderation/admin workflows (approve/deny/ban/role assign/etc.), drives all admin UI and logs, and provides full audit trail for compliance/appeal. All actions must be routed through APIs here for UI management. For each operation, expect immediate confirmation or actionable error feedback. Admin/facilitator/frontends can use listAdminActionLogs for reporting, filters by action/target/date/admin. Logs are immutable; update/delete not supported. Dashboard metrics/status endpoints can be routed here or via BFF as needed.

API Structure

Object Structure of a Successful Response

When the service processes requests successfully, it wraps the requested resource(s) within a JSON envelope. This envelope includes the data and essential metadata such as configuration details and pagination information, providing context to the client.

HTTP Status Codes:

Success Response Format:

For successful operations, the response includes a "status": "OK" property, signaling that the request executed successfully. The structure of a successful response is outlined below: 

{
  "status":"OK",
  "statusCode": 200,   
  "elapsedMs":126,
  "ssoTime":120,
  "source": "db",
  "cacheKey": "hexCode",
  "userId": "ID",
  "sessionId": "ID",
  "requestId": "ID",
  "dataName":"products",
  "method":"GET",
  "action":"list",
  "appVersion":"Version",
  "rowCount":3,
  "products":[{},{},{}],
  "paging": {
    "pageNumber":1, 
    "pageRowCount":25, 
    "totalRowCount":3,
    "pageCount":1
  },
  "filters": [],
  "uiPermissions": []
}

Additional Data

Each API may include additional data besides the main data object, depending on the business logic of the API. These will be provided in each API’s response signature.

Error Response

If a request encounters an issue—whether due to a logical fault or a technical problem—the service responds with a standardized JSON error structure. The HTTP status code indicates the nature of the error, using commonly recognized codes for clarity:

Each error response is structured to provide meaningful insight into the problem, assisting in efficient diagnosis and resolution. 

{
  "result": "ERR",
  "status": 400,
  "message": "errMsg_organizationIdisNotAValidID",
  "errCode": 400,
  "date": "2024-03-19T12:13:54.124Z",
  "detail": "String"
}

Bucket Management

(This information is also given in PART 1 prompt.)

This application has a bucket service used to store user files and other object-related files. The bucket service is login-agnostic, so for write operations or private reads, include a bucket token (provided by services) in the request’s Authorization header as a Bearer token.

Please note that all other business services require the access token in the Bearer header, while the bucket service expects a bucket token because it is login-agnostic. Ensure you manage the required token injection properly; any auth interceptor should not replace the bucket token with the access token.

User Bucket This bucket stores public user files for each user.

When a user logs in—or in the /currentuser response—there is a userBucketToken to use when sending user-related public files to the bucket service. 

{
  //...
  "userBucketToken": "e56d...."
}

To upload a file

POST {baseUrl}/bucket/upload

The request body is form-data which includes the bucketId and the file binary in the files field. 

{
    bucketId: "{userId}-public-user-bucket",
    files: {binary}
}

Response status is 200 on success, e.g., body:

{
    "success": true,
    "data": [
        {
            "fileId": "9da03f6d-0409-41ad-bb06-225a244ae408",
            "originalName": "test (10).png",
            "mimeType": "image/png",
            "size": 604063,
            "status": "uploaded",
            "bucketName": "f7103b85-fcda-4dec-92c6-c336f71fd3a2-public-user-bucket",
            "isPublic": true,
            "downloadUrl": "https://babilcom.mindbricks.co/bucket/download/9da03f6d-0409-41ad-bb06-225a244ae408"
        }
    ]
}

To download a file from the bucket, you need its fileId. If you upload an avatar or other asset, ensure the download URL or the fileId is stored in the backend.

Buckets are mostly used in object creations that require an additional file, such as a product image or user avatar. After uploading your image to the bucket, insert the returned download URL into the related property of the target object record.

Application Bucket

This Clonesahibinden application also includes a common public bucket that anyone can read, but only users with the superAdmin, admin, or saasAdmin roles can write (upload) to it.

When a user with one of these admin roles is logged in, the /login response or the /currentuser response also returns an applicationBucketToken field, which is used when uploading any file to the application bucket. 

{
  //...
  "applicationBucketToken": "e23fd...."
}

The common public application bucket ID is

"clonesahibinden-public-common-bucket"

In certain admin areas—such as product management pages—since the user already has the application bucket token, they will be able to upload related object images.

Please configure your UI to upload files to the application bucket using this bucket token whenever needed.

Object Buckets Some objects may also return a bucket token for uploading or accessing files related to that object. For example, in a project management application, when you fetch a project’s data, a public or private bucket token may be provided to upload or download project-related files.

These buckets will be used as described in the relevant object definitions.

AdminActionLog Data Object

Records every moderation/admin action: who, what, target, reason, metadata, and timestamp. Used for full audit compliance and enables appeals, overrides, and reporting. Immutable except for soft delete.

AdminActionLog Data Object Frontend Description By The Backend Architect

An immutable log entry. Used for compliance, audit trail, admin dashboards. Not directly editable or deletable; only created by system/admin APIs. Each entry shows moderator/admin, action, affected entity, timestamp, reason, and expanded details in metadata for complex events.

AdminActionLog Data Object Properties

AdminActionLog data object has got following properties that are represented as table fields in the database scheme. These properties don’t stand just for data storage, but each may have different settings to manage the business logic.

Property Type IsArray Required Secret Description
action String false Yes No Action performed (e.g., approveListing, denyListing, banUser, assignRole, etc.)
actionAt Date false Yes No Date and time the action was performed, UTC.
adminUserId ID false Yes No User ID of admin/moderator who initiated the action (refers to auth:user).
metadata Object false No No Extended details/JSON object with details relevant to the action (previous/new values, related entities, etc.)
reason String false No No Reason for action (required on denial, ban; optional for others).
targetId ID false Yes No ID of the affected resource/entity (listing, user, message, etc.)
targetType String false Yes No Kind of entity affected by the action (e.g., listing, user, conversationMessage, roleAssignment, category, etc.)

Relation Properties

adminUserId

Mindbricks supports relations between data objects, allowing you to define how objects are linked together. The relations may reference to a data object either in this service or in another service. Id the reference is remote, backend handles the relations through service communication or elastic search. These relations should be respected in the frontend so that instaead of showing the related objects id, the frontend should list human readable values from other data objects. If the relation points to another service, frontend should use the referenced service api in case it needs related data. The relation logic is montly handled in backend so the api responses feeds the frontend about the relational data. In mmost cases the api response will provide the relational data as well as the main one.

In frontend, please ensure that,

1- instaead of these relational ids you show the main human readable field of the related target data (like name), 2- if this data object needs a user input of these relational ids, you should provide a combobox with the list of possible records or (a searchbox) to select with the realted target data object main human readable field.

The target object is a parent object, meaning that the relation is a one-to-many relationship from target to this object.

Required: Yes

Filter Properties

action actionAt adminUserId targetId targetType

Filter properties are used to define parameters that can be used in query filters, allowing for dynamic data retrieval based on user input or predefined criteria. These properties are automatically mapped as API parameters in the listing API’s.

Default CRUD APIs

For each data object, the backend architect may designate default APIs for standard operations (create, update, delete, get, list). These are the APIs that frontend CRUD forms and AI agents should use for basic record management. If no default is explicitly set (isDefaultApi), the frontend generator auto-discovers the most general API for each operation.

AdminActionLog Default APIs

Operation API Name Route Explicitly Set
Create createAdminActionLog /v1/adminactionlogs Auto
Update none - Auto
Delete none - Auto
Get getAdminActionLog /v1/adminactionlogs/:adminActionLogId Auto
List listAdminActionLogs /v1/adminactionlogs System

When building CRUD forms for a data object, use the default create/update APIs listed above. The form fields should correspond to the API’s body parameters. For relation fields, render a dropdown loaded from the related object’s list API using the display label property.

API Reference

Create Adminactionlog API

Appends a new immutable moderation/admin audit log entry for every critical action (listing, user, message, role, etc). Used both by internal workflows and explicit admin APIs.

API Frontend Description By The Backend Architect

Frontends should not invoke directly; log entries are created automatically via moderation/admin actions (approve/deny/ban/etc). Accepts adminUserId (from session), action, targetType, targetId, reason (required on denial/ban), metadata (optional), actionAt (server time, auto).

Rest Route

The createAdminActionLog API REST controller can be triggered via the following route:

/v1/adminactionlogs

Rest Request Parameters

The createAdminActionLog api has got 5 regular request parameters

Parameter Type Required Population
action String true request.body?.[“action”]
metadata Object false request.body?.[“metadata”]
reason String false request.body?.[“reason”]
targetId ID true request.body?.[“targetId”]
targetType String true request.body?.[“targetType”]
action : Action performed (e.g., approveListing, denyListing, banUser, assignRole, etc.)
metadata : Extended details/JSON object with details relevant to the action (previous/new values, related entities, etc.)
reason : Reason for action (required on denial, ban; optional for others).
targetId : ID of the affected resource/entity (listing, user, message, etc.)
targetType : Kind of entity affected by the action (e.g., listing, user, conversationMessage, roleAssignment, category, etc.)

REST Request To access the api you can use the REST controller with the path POST /v1/adminactionlogs 

  axios({
    method: 'POST',
    url: '/v1/adminactionlogs',
    data: {
            action:"String",  
            metadata:"Object",  
            reason:"String",  
            targetId:"ID",  
            targetType:"String",  
    
    },
    params: {
    
        }
  });

REST Response

{
	"status": "OK",
	"statusCode": "201",
	"elapsedMs": 126,
	"ssoTime": 120,
	"source": "db",
	"cacheKey": "hexCode",
	"userId": "ID",
	"sessionId": "ID",
	"requestId": "ID",
	"dataName": "adminActionLog",
	"method": "POST",
	"action": "create",
	"appVersion": "Version",
	"rowCount": 1,
	"adminActionLog": {
		"id": "ID",
		"action": "String",
		"actionAt": "Date",
		"adminUserId": "ID",
		"metadata": "Object",
		"reason": "String",
		"targetId": "ID",
		"targetType": "String",
		"isActive": true,
		"recordVersion": "Integer",
		"createdAt": "Date",
		"updatedAt": "Date",
		"_owner": "ID"
	}
}

Get Adminactionlog API

Retrieve a single moderation/admin action log entry by ID. Used for detailed audit review or appeals.

API Frontend Description By The Backend Architect

Admin/staff frontend can use to show full details of an individual moderation event for investigation, override, or dispute resolution. Only available to admin/moderator roles.

Rest Route

The getAdminActionLog API REST controller can be triggered via the following route:

/v1/adminactionlogs/:adminActionLogId

Rest Request Parameters

The getAdminActionLog api has got 1 regular request parameter

Parameter Type Required Population
adminActionLogId ID true request.params?.[“adminActionLogId”]
adminActionLogId : This id paremeter is used to query the required data object.

REST Request To access the api you can use the REST controller with the path GET /v1/adminactionlogs/:adminActionLogId 

  axios({
    method: 'GET',
    url: `/v1/adminactionlogs/${adminActionLogId}`,
    data: {
    
    },
    params: {
    
        }
  });

REST Response

This route’s response is constrained to a select list of properties, and therefore does not encompass all attributes of the resource. 

{
	"status": "OK",
	"statusCode": "200",
	"elapsedMs": 126,
	"ssoTime": 120,
	"source": "db",
	"cacheKey": "hexCode",
	"userId": "ID",
	"sessionId": "ID",
	"requestId": "ID",
	"dataName": "adminActionLog",
	"method": "GET",
	"action": "get",
	"appVersion": "Version",
	"rowCount": 1,
	"adminActionLog": {
		"adminUser": {
			"email": "String",
			"fullname": "String",
			"roleId": "String"
		},
		"isActive": true
	}
}

List Adminactionlogs API

List all moderation/admin action logs with full filter/sort for dashboard or traceability/audit needs. Supports filtering by action, targetType, targetId, adminUserId, actionAt.

API Frontend Description By The Backend Architect

Feeds moderation dashboard. Supports filtering/searching by action (approve, deny, ban, etc), affected entity, targetId, admin/mod, time range. Pagination enabled for large result sets. Intended for admin/mod use only.

Rest Route

The listAdminActionLogs API REST controller can be triggered via the following route:

/v1/adminactionlogs

Rest Request Parameters The listAdminActionLogs api has got no request parameters.

REST Request To access the api you can use the REST controller with the path GET /v1/adminactionlogs 

  axios({
    method: 'GET',
    url: '/v1/adminactionlogs',
    data: {
    
    },
    params: {
    
        }
  });

REST Response

This route’s response is constrained to a select list of properties, and therefore does not encompass all attributes of the resource. 

{
	"status": "OK",
	"statusCode": "200",
	"elapsedMs": 126,
	"ssoTime": 120,
	"source": "db",
	"cacheKey": "hexCode",
	"userId": "ID",
	"sessionId": "ID",
	"requestId": "ID",
	"dataName": "adminActionLogs",
	"method": "GET",
	"action": "list",
	"appVersion": "Version",
	"rowCount": "\"Number\"",
	"adminActionLogs": [
		{
			"adminUser": [
				{
					"email": "String",
					"fullname": "String",
					"roleId": "String"
				},
				{},
				{}
			],
			"isActive": true
		},
		{},
		{}
	],
	"paging": {
		"pageNumber": "Number",
		"pageRowCount": "NUmber",
		"totalRowCount": "Number",
		"pageCount": "Number"
	},
	"filters": [],
	"uiPermissions": []
}

_fetch Listadminactionlog API

System API to fetch list of adminActionLog records for frontend application. Auto-generated, not visible in design.

Rest Route

The _fetchListAdminActionLog API REST controller can be triggered via the following route:

/v1/_fetchlistadminactionlog

Rest Request Parameters

Filter Parameters

The _fetchListAdminActionLog api supports 5 optional filter parameters for filtering list results:

action (String): Action performed (e.g., approveListing, denyListing, banUser, assignRole, etc.)

actionAt (Date): Date and time the action was performed, UTC.

adminUserId (ID): User ID of admin/moderator who initiated the action (refers to auth:user).

targetId (ID): ID of the affected resource/entity (listing, user, message, etc.)

targetType (String): Kind of entity affected by the action (e.g., listing, user, conversationMessage, roleAssignment, category, etc.)

REST Request To access the api you can use the REST controller with the path GET /v1/_fetchlistadminactionlog 

  axios({
    method: 'GET',
    url: '/v1/_fetchlistadminactionlog',
    data: {
    
    },
    params: {
    
        // Filter parameters (see Filter Parameters section above)
        // action: '<value>' // Filter by action
        // actionAt: '<value>' // Filter by actionAt
        // adminUserId: '<value>' // Filter by adminUserId
        // targetId: '<value>' // Filter by targetId
        // targetType: '<value>' // Filter by targetType
            }
  });

REST Response

{
	"status": "OK",
	"statusCode": "200",
	"elapsedMs": 126,
	"ssoTime": 120,
	"source": "db",
	"cacheKey": "hexCode",
	"userId": "ID",
	"sessionId": "ID",
	"requestId": "ID",
	"dataName": "adminActionLogs",
	"method": "GET",
	"action": "list",
	"appVersion": "Version",
	"rowCount": "\"Number\"",
	"adminActionLogs": [
		{
			"id": "ID",
			"action": "String",
			"actionAt": "Date",
			"adminUserId": "ID",
			"metadata": "Object",
			"reason": "String",
			"targetId": "ID",
			"targetType": "String",
			"isActive": true,
			"recordVersion": "Integer",
			"createdAt": "Date",
			"updatedAt": "Date",
			"_owner": "ID",
			"adminUser": [
				{
					"fullname": "String"
				},
				{},
				{}
			]
		},
		{},
		{}
	],
	"paging": {
		"pageNumber": "Number",
		"pageRowCount": "NUmber",
		"totalRowCount": "Number",
		"pageCount": "Number"
	},
	"filters": [],
	"uiPermissions": []
}

After this prompt, the user may give you new instructions to update the output of this prompt or provide subsequent prompts about the project.