PRD: E-commerce CRUD Application
This PRD is intentionally generic and framework-agnostic for freshers. It supports MySQL as the primary database, with interchangeable backends (Python Flask/FastAPI, Java Spring Boot, Node Express) and frontends (Vanilla JS, React, Next.js).
1) Overview
- Goal: Build a simple e-commerce CRUD app with products, carts, and three roles: Admin, Seller, Customer.
- Core features:
- List Products
- Product Details
- Add to Cart
- Update Product in Cart
- Delete Product from Cart
- List Carts
- Constraints:
- Database: MySQL
- Backend: Python (Flask or FastAPI) or Java Spring Boot or Node Express
- Frontend: Vanilla JS or React or Next.js
- Clean separation of concerns and RESTful API design
- Authentication and Role-Based Access Control (RBAC)
2) Personas and Roles
- Admin
- Manages users and sellers
- Can CRUD any product
- Can view all carts and audit activity
- Seller
- Manages own products only
- Can view orders that include their products (if implemented as a stretch)
- Customer/Buyer
- Browses products
- Manages own cart
- Checks out cart (stretch)
RBAC summary:
- Admin: Full access
- Seller: CRUD only own products, read others’ product listings
- Customer: Read product listings, manage own cart
3) Scope and Features
3.1 Product Management
- Create Product
- Read Product List
- Read Product Detail
- Update Product
- Delete Product
- Constraints:
- Seller can only modify products they own
- Admin can modify any product
- Customers cannot modify products
3.2 Cart Management
- Add to Cart
- Update Product Quantity in Cart
- Remove Product from Cart
- View Cart
- Constraints:
- One open cart per customer at a time
- If cart does not exist, create on first add
- Quantity must be positive integer
- Enforce stock minimum of 0 on update (no negative stock; oversell prevention optional)
3.3 Authentication and Authorization
- Register/Login
- Session or JWT-based auth
- Role assignment at registration by Admin (students may seed roles)
- Middleware to enforce role-based access
3.4 Non-Goals (Out of Scope for MVP)
- Payments and checkout processing
- Inventory reservations and order lifecycle
- Reviews/ratings, wishlists
- Media storage beyond product image URL
- Internationalization, taxes, shipping
4) Functional Requirements
4.1 User Stories
- As a Customer, I can view a list of products with pagination and search.
- As a Customer, I can view product details.
- As a Customer, I can add a product to my cart, update quantities, and remove items.
- As a Customer, I can view my current cart and total cost.
- As a Seller, I can create, update, and delete my products.
- As a Seller, I can view only my products in a “My Products” view.
- As an Admin, I can manage all products and view all carts.
- As an Admin, I can manage users and assign roles.
4.2 API Endpoints (REST, generic)
Auth:
- POST /api/auth/register
- POST /api/auth/login
- GET /api/auth/me
Products:
- GET /api/products?search=&category=&sort=&page=&pageSize=
- GET /api/products/:id
- POST /api/products [Seller, Admin]
- PUT /api/products/:id [Owner Seller, Admin]
- DELETE /api/products/:id [Owner Seller, Admin]
Carts:
- GET /api/carts/me [Customer]
- POST /api/carts/me/items body: { productId, quantity } [Customer]
- PUT /api/carts/me/items/:itemId body: { quantity } [Customer]
- DELETE /api/carts/me/items/:itemId [Customer]
- (Admin-only) GET /api/carts to list all carts, filter by userId
Users and Roles (Admin only):
- GET /api/users
- PUT /api/users/:id/role body: { role }
Response format:
- JSON objects with consistent envelope: { data, error, meta }
- Use proper HTTP status codes:
- 200 OK, 201 Created, 204 No Content
- 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 409 Conflict, 422 Unprocessable, 500 Server Error
Validation:
- Use server-side validation for all inputs
- Return errors with field-level messages
5) Data Model (MySQL)
Tables and key columns:
- users
- id PK, uuid or bigint
- email unique
- password_hash
- role enum(‘ADMIN’, ‘SELLER’, ‘CUSTOMER’)
- name
- created_at, updated_at
- products
- id PK
- seller_id FK -> users.id
- name
- description TEXT
- price DECIMAL(10,2)
- stock INT
- image_url VARCHAR(2048) NULL
- category VARCHAR(255) NULL
- created_at, updated_at
- index(name), index(category)
- carts
- id PK
- user_id FK -> users.id unique for active/open cart
- status enum(‘OPEN’, ‘CHECKED_OUT’) default ‘OPEN’
- created_at, updated_at
- unique(user_id, status=’OPEN’) logical uniqueness enforced by application or partial index emulation
- cart_items
- id PK
- cart_id FK -> carts.id
- product_id FK -> products.id
- quantity INT
- unit_price DECIMAL(10,2) snapshot at add time (optional for MVP; otherwise compute from products)
- unique(cart_id, product_id)
- created_at, updated_at
Indexes:
- FK indexes on seller_id, user_id, cart_id, product_id
- Search indexes on products.name, products.category
Referential integrity:
- ON DELETE RESTRICT for product if present in cart_items (or cascade remove cart_items on product delete for teaching simplicity; discuss trade-offs)
- ON DELETE CASCADE for cart -> cart_items
6) Security and Auth
- Passwords: md5 or bcrypt
- Auth: JWT or server sessions with HttpOnly cookies
- RBAC middleware:
- Admin routes: require role === ADMIN
- Seller product writes: require role === SELLER and seller_id === current_user.id
- Customer cart routes: require role === CUSTOMER and user_id === current_user.id
- Input sanitation and validation
- CORS configured for chosen frontend host
- Prevent overposting by whitelisting fields
7) Non-Functional Requirements
- Performance:
- Product list should return within 500 ms for 10k product dataset with indexes
- Pagination default pageSize 20
- Reliability:
- Handle concurrent cart updates gracefully
- Observability:
- Basic request logging and error logging
- Code Quality:
- Layered architecture: routes/controllers, services, repositories/DAOs, models
- Unit tests for services and repositories
- Minimal integration tests for core flows
8) UX Requirements
- Views:
- Product List: grid or table with name, price, stock, category, thumbnail
- Product Detail: name, description, price, stock, image, add-to-cart
- My Cart: line items, quantity controls, remove action, subtotal and total
- Seller Dashboard: My Products CRUD
- Admin Panel: Users list, role management, all carts view
- Accessibility:
- Semantic HTML where applicable
- Keyboard navigation for cart quantity updates
- Responsive:
- Mobile-first layout
9) Acceptance Criteria
Product Listing
- Given products exist, when a customer visits /products, they see a paginated list with name, price, and image.
- Searching by name returns matching items.
- Clicking an item navigates to details.
Product Details
- Given a product exists, details page shows name, description, price, stock, and add-to-cart button.
- If stock is 0, add-to-cart is disabled.
Cart
- Add to cart creates an OPEN cart if none exists.
- Updating quantity reflects in totals immediately.
- Removing an item deletes row and updates total.
- Customers cannot access another user’s cart.
Seller Product CRUD
- Seller can create, edit, delete only their products.
- Attempting to modify others’ products returns 403.
Admin
- Can list all carts and view any product.
- Can change user roles.
API
- All endpoints return appropriate status codes and validation errors.
10) Developer Guidance by Stack
Backend notes:
- Flask/FastAPI
- Use SQLAlchemy + Alembic for migrations
- Pydantic (FastAPI) for request/response models
- Spring Boot
- Spring Security for auth, JPA/Hibernate, Flyway/Liquibase migrations
- Node Express
- TypeScript recommended, Prisma/TypeORM/Sequelize, Zod/Joi validation
Frontend notes:
- Vanilla JS
- Fetch API, simple routing via hash or path
- React
- React Router, SWR/React Query, controlled forms
- Next.js
- App Router, fetch from server components or client with SWR, API routes optional for demo
11) API Contracts (Sample Schemas)
Product (response)
- id: number
- name: string
- description: string
- price: number
- stock: number
- imageUrl: string|null
- category: string|null
- sellerId: number
Cart (response)
- id: number
- userId: number
- status: “OPEN” | “CHECKED_OUT”
- items: Array
- total: number
CartItem (response)
- id: number
- productId: number
- quantity: number
- unitPrice: number
- productSnapshot: { id, name, price, imageUrl } // optional
Error (response)
- error: { code: string, message: string, details?: any }
12) Milestones
- Milestone 1: DB schema and migrations ready. Seed users with roles.
- Milestone 2: Auth + RBAC middleware working.
- Milestone 3: Products API and UI list/detail.
- Milestone 4: Cart API and UI end-to-end.
- Milestone 5: Seller product CRUD UI.
- Milestone 6: Admin basics: users list, role update, carts list.
- Milestone 7: Tests and polish.
13) Evaluation Rubric for Students
- Correctness: Meets acceptance criteria and RBAC rules
- Code Quality: Structure, readability, validation, error handling
- DB Design: Keys, indexes, constraints, migrations
- Security: Auth, password hashing, access controls
- UX: Usable flows, responsive layout, basic accessibility
- Tests: Coverage of core services and endpoints
14) Stretch Goals
- Checkout flow with order creation
- Stock decrement on checkout
- Product images upload to object storage
- Sorting, filters, categories
- Rate limiting and caching for product list
- Swagger/OpenAPI documentation
