[Backend] Implement Admin Endpoint to Reject Artwork

[laurenwu22]

Objective:
Allow an admin user to reject a submitted artwork, optionally providing a rejection reason. Rejected artwork should not be publicly visible. Log the rejection in AdminAction.

Tasks:

• Implement a PATCH /api/artworks/[id]/reject endpoint.
• Validate that the requester is authenticated and has the ADMIN role.
• Use a Prisma $transaction to:
  • Update the artwork:
    • status = REJECTED
    • Optionally set rejection_reason
  • Create an AdminAction:
    • action_type = ARTWORK_REJECTED
    • admin_id = adminId
    • artwork_id = id
• Return the updated artwork.
• Return proper HTTP status codes (200 success, 401/403 unauthorized, 404 not found).

Acceptance Criteria:

• ✅ Only admins can reject artwork.
• ✅ Artwork status and rejection reason are updated.
• ✅ AdminAction is created with correct metadata.
• ✅ Response contains updated artwork.

Resources:

• Prisma Artwork and AdminAction models
• NextAuth session

[charlesr332]

Is this different from #15, which was completed in #28?