uoftblueprint · CaellumYHL · Mar 8, 2026 · Mar 8, 2026 · Copilot · Mar 9, 2026
diff --git a/backend/inventory/tests.py b/backend/inventory/tests.py
@@ -1050,3 +1050,152 @@ def test_patch_item_box_updates_box_id(self):
         assert response.status_code == status.HTTP_200_OK
         self.item_b.refresh_from_db()
         assert self.item_b.box_id == self.box_b.id
+
+
+# ============================================================================
+# TESTS FOR GET /api/inventory/export/ (CSV Export)
+# ============================================================================
+
+
+@pytest.mark.django_db
+class TestExportItems:
+    """Tests for the CSV export endpoint."""
+
+    EXPORT_URL = "/api/inventory/export/"
+
+    @pytest.fixture(autouse=True)
+    def setup(self, client, admin_user, volunteer_user, floor_location, storage_location):
+        self.client = client
+        self.admin_user = admin_user
+        self.volunteer_user = volunteer_user
+        self.floor_location = floor_location
+        self.storage_location = storage_location
+
+        # Create a box for filtering tests
+        self.box = Box.objects.create(box_code="BOX001", label="Export Test Box", location=floor_location)
+
+        # Create test items
+        self.item_software = CollectionItem.objects.create(
+            item_code="EXP001",
+            title="Export Test Game",
+            platform="SNES",
+            item_type="SOFTWARE",
+            current_location=floor_location,
+            box=self.box,
+            is_public_visible=True,
+        )
+        self.item_hardware = CollectionItem.objects.create(
+            item_code="EXP002",
+            title="Export Test Console",
+            platform="",
+            item_type="HARDWARE",
+            current_location=storage_location,
+            is_public_visible=True,
+        )
+
+    def _get_admin_token(self):
+        return get_admin_token(self.client)
+
+    def _get_volunteer_token(self):
+        return get_volunteer_token(self.client)
+
+    def test_unauthenticated_returns_401(self):
+        """Unauthenticated request should be rejected."""
+        response = self.client.get(self.EXPORT_URL)
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_admin_gets_csv_response(self):
+        """Admin should receive a CSV file response."""
+        token = self._get_admin_token()
+        response = self.client.get(self.EXPORT_URL, HTTP_AUTHORIZATION=f"Bearer {token}")
+        assert response.status_code == status.HTTP_200_OK
+        assert response["Content-Type"] == "text/csv"
+        assert "attachment" in response["Content-Disposition"]
+        assert "made_export_" in response["Content-Disposition"]
+
+    def test_volunteer_gets_csv_response(self):
+        """Volunteer should also have access to export."""
+        token = self._get_volunteer_token()
+        response = self.client.get(self.EXPORT_URL, HTTP_AUTHORIZATION=f"Bearer {token}")
+        assert response.status_code == status.HTTP_200_OK
+        assert response["Content-Type"] == "text/csv"
+
+    def test_csv_contains_headers_and_data(self):
+        """CSV should contain header row and data rows."""
+        token = self._get_admin_token()
+        response = self.client.get(self.EXPORT_URL, HTTP_AUTHORIZATION=f"Bearer {token}")
+        content = response.content.decode("utf-8")
+        lines = content.strip().split("\n")
+
+        # Header + at least 2 data rows
+        assert len(lines) >= 3
+        assert "MADE ID" in lines[0]
+        assert "Title" in lines[0]
+        assert "EXP001" in content
+        assert "EXP002" in content
+
+    def test_filter_by_record_type(self):
+        """Filtering by record_type should return only matching items."""
+        token = self._get_admin_token()
+        response = self.client.get(
+            f"{self.EXPORT_URL}?record_type=SOFTWARE",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+        content = response.content.decode("utf-8")
+        assert "EXP001" in content
+        assert "EXP002" not in content
+
+    def test_filter_by_box_id(self):
+        """Filtering by box_id should return only items in that box."""
+        token = self._get_admin_token()
+        response = self.client.get(
+            f"{self.EXPORT_URL}?box_id={self.box.id}",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+        content = response.content.decode("utf-8")
+        assert "EXP001" in content  # In the box
+        assert "EXP002" not in content  # Not in any box
+
+    def test_filter_by_date_range(self):
+        """Filtering by start_date and end_date should scope results."""
+        token = self._get_admin_token()
+        today = timezone.now().strftime("%Y-%m-%d")
+        response = self.client.get(
+            f"{self.EXPORT_URL}?start_date={today}&end_date={today}",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+        content = response.content.decode("utf-8")
+        # Items were created today, so they should appear
+        assert "EXP001" in content
+
+    def test_filter_future_date_returns_empty(self):
+        """Filtering with a future start_date should return headers only."""
+        token = self._get_admin_token()
+        future = "2099-01-01"
+        response = self.client.get(
+            f"{self.EXPORT_URL}?start_date={future}",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+        content = response.content.decode("utf-8")
+        lines = content.strip().split("\n")
+        # Only header row
+        assert len(lines) == 1
+        assert "MADE ID" in lines[0]
+
+    def test_invalid_start_date_returns_400(self):
+        """Invalid date format should return 400."""
+        token = self._get_admin_token()
+        response = self.client.get(
+            f"{self.EXPORT_URL}?start_date=not-a-date",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+        assert response.status_code == status.HTTP_400_BAD_REQUEST
+
+    def test_invalid_end_date_returns_400(self):
+        """Invalid end_date format should return 400."""
+        token = self._get_admin_token()
+        response = self.client.get(
+            f"{self.EXPORT_URL}?end_date=bad",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+        assert response.status_code == status.HTTP_400_BAD_REQUEST
diff --git a/backend/inventory/urls.py b/backend/inventory/urls.py
@@ -5,6 +5,7 @@
     PublicCollectionItemViewSet,
     AdminCollectionItemViewSet,
     dashboard_stats,
+    export_items,
 )
 
 # from .views import InventoryItemViewSet
@@ -32,6 +33,7 @@
 # PUT    /api/inventory/items/{id}/      - Full update
 # PATCH  /api/inventory/items/{id}/     - Partial update
 # DELETE /api/inventory/items/{id}/     - Soft delete (admin only)
+# GET    /api/inventory/export/          - Export items as CSV
 
 router = DefaultRouter()
 router.register(r"items", CollectionItemViewSet, basename="item")
@@ -43,4 +45,5 @@
     path("", include(router.urls)),
     path("public/", include(public_router.urls)),
     path("stats/", dashboard_stats, name="dashboard-stats"),
+    path("export/", export_items, name="export-items"),
 ]
diff --git a/backend/inventory/views.py b/backend/inventory/views.py
@@ -1,3 +1,7 @@
+import csv
+from datetime import datetime
+
+from django.http import HttpResponse
 from rest_framework import viewsets, permissions, filters, status
 from rest_framework.decorators import api_view, permission_classes
 from rest_framework.response import Response
@@ -163,3 +167,88 @@ def dashboard_stats(request):
             "total_locations": Location.objects.count(),
         }
     )
+
+
+@api_view(["GET"])
+@permission_classes([IsVolunteer])
+def export_items(request):
+    """
+    Export collection items as a CSV file.
+    Accepts optional query parameters:
+    - start_date (YYYY-MM-DD): filter items created on or after this date
+    - end_date (YYYY-MM-DD): filter items created on or before this date
+    - box_id (int): filter items belonging to a specific box
+    - record_type (str): filter by item_type (SOFTWARE, HARDWARE, NON_ELECTRONIC)
+    """
+    queryset = CollectionItem.objects.all().select_related("box", "current_location")
+
+    # Apply filters
+    start_date = request.query_params.get("start_date")
+    end_date = request.query_params.get("end_date")
+    box_id = request.query_params.get("box_id")
+    record_type = request.query_params.get("record_type")
+
+    if start_date:
+        try:
+            parsed = datetime.strptime(start_date, "%Y-%m-%d")
+            queryset = queryset.filter(created_at__date__gte=parsed.date())
+        except ValueError:
+            return Response(
+                {"error": "Invalid start_date format. Use YYYY-MM-DD."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+
+    if end_date:
+        try:
+            parsed = datetime.strptime(end_date, "%Y-%m-%d")
+            queryset = queryset.filter(created_at__date__lte=parsed.date())
+        except ValueError:
+            return Response(
+                {"error": "Invalid end_date format. Use YYYY-MM-DD."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+
+    if box_id:
+        queryset = queryset.filter(box__id=box_id)
-        queryset = queryset.filter(box__id=box_id)
+        try:
+            box_id_int = int(box_id)
+        except (TypeError, ValueError):
+            return Response(
+                {"error": "Invalid box_id. Must be an integer."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        queryset = queryset.filter(box__id=box_id_int)
-        queryset = queryset.filter(box__id=box_id)
+        try:
+            box_id_int = int(box_id)
+        except (TypeError, ValueError):
+            return Response(
+                {"error": "Invalid box_id. Must be an integer."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        queryset = queryset.filter(box__id=box_id_int)
+
+    if record_type:
+        queryset = queryset.filter(item_type=record_type)
+
+    # Build CSV response
+    today = datetime.now().strftime("%Y%m%d")
+    response = HttpResponse(content_type="text/csv")
+    response["Content-Disposition"] = f'attachment; filename="made_export_{today}.csv"'
+
+    writer = csv.writer(response)
+    writer.writerow(
+        [
+            "MADE ID",
+            "Title",
+            "Platform",
+            "Item Type",
+            "Box Code",
+            "Location",
+            "Location Type",
+            "Working Condition",
+            "Status",
+            "Created At",
+        ]
+    )
+
+    for item in queryset:
+        writer.writerow(
+            [
+                item.item_code,
+                item.title,
+                item.platform,
+                item.get_item_type_display(),
+                item.box.box_code if item.box else "",
+                item.current_location.name if item.current_location else "",
+                item.current_location.get_location_type_display() if item.current_location else "",
+                "Yes" if item.working_condition else "No",
+                item.get_status_display(),
+                item.created_at.strftime("%Y-%m-%d %H:%M:%S") if item.created_at else "",
+            ]
+        )
+
+    return response