security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Controllers/Api/V1/CrowdListController.php

@@ -78,7 +78,8 @@ final class CrowdListController extends Controller
     {
         Gate::authorize('managePerson', [$crowdList, $event]);
 
-        $person = Person::findOrFail($request->validated('person_id'));
+        $festivalEventId = $event->parent_event_id ?? $event->id;
+        $person = Person::where('event_id', $festivalEventId)->findOrFail($request->validated('person_id'));
 
         $this->crowdListService->addPerson($crowdList, $person, $request->user());
 

api/app/Http/Controllers/Api/V1/InvitationController.php

@@ -75,6 +75,11 @@ final class InvitationController extends Controller
 
     public function revoke(Organisation $organisation, UserInvitation $invitation): JsonResponse
     {
+        // Verify invitation belongs to this organisation
+        if ($invitation->organisation_id !== $organisation->id) {
+            return $this->notFound('Uitnodiging niet gevonden');
+        }
+
         Gate::authorize('invite', $organisation);
 
         if (! $invitation->isPending()) {

api/app/Http/Controllers/Api/V1/PersonIdentityMatchController.php

@@ -50,6 +50,11 @@ final class PersonIdentityMatchController extends Controller
 
     public function confirm(Request $request, Organisation $organisation, PersonIdentityMatch $personIdentityMatch): JsonResponse
     {
+        // Verify match belongs to this organisation
+        if ($personIdentityMatch->person->event->organisation_id !== $organisation->id) {
+            return $this->notFound('Match not found.');
+        }
+
         Gate::authorize('confirm', $personIdentityMatch);
 
         try {
@@ -65,6 +70,11 @@ final class PersonIdentityMatchController extends Controller
 
     public function dismiss(Request $request, Organisation $organisation, PersonIdentityMatch $personIdentityMatch): JsonResponse
     {
+        // Verify match belongs to this organisation
+        if ($personIdentityMatch->person->event->organisation_id !== $organisation->id) {
+            return $this->notFound('Match not found.');
+        }
+
         Gate::authorize('dismiss', $personIdentityMatch);
 
         try {
@@ -82,7 +92,9 @@ final class PersonIdentityMatchController extends Controller
     {
         Gate::authorize('bulkConfirm', [PersonIdentityMatch::class, $organisation]);
 
+        $orgEventIds = $organisation->events()->pluck('id');
         $matches = PersonIdentityMatch::whereIn('id', $request->validated('match_ids'))
+            ->whereHas('person', fn ($q) => $q->whereIn('event_id', $orgEventIds))
             ->with('person')
             ->get()
             ->keyBy('id');

api/app/Http/Controllers/Api/V1/Portal/PortalShiftController.php

@@ -172,6 +172,12 @@ final class PortalShiftController extends Controller
 
     public function claim(Request $request, Event $event, Shift $shift): JsonResponse
     {
+        // Verify shift belongs to this event context
+        $eventIds = $this->resolveEventIds($event);
+        if (! in_array($shift->festivalSection->event_id, $eventIds)) {
+            return $this->notFound('Shift niet gevonden.');
+        }
+
         $person = $this->resolvePerson($event);
 
         if ($person->status !== 'approved') {
@@ -203,6 +209,12 @@ final class PortalShiftController extends Controller
 
     public function cancel(Request $request, Event $event, ShiftAssignment $shiftAssignment): JsonResponse
     {
+        // Verify assignment belongs to this event context
+        $eventIds = $this->resolveEventIds($event);
+        if (! in_array($shiftAssignment->shift->timeSlot->event_id, $eventIds)) {
+            return $this->notFound('Dienst niet gevonden.');
+        }
+
         $person = $this->resolvePerson($event);
 
         // Must be the person's own assignment

api/app/Http/Controllers/Api/V1/PortalMeController.php

@@ -21,13 +21,16 @@ final class PortalMeController extends Controller
 {
     public function index(PortalMeRequest $request): JsonResponse
     {
-        $event = Event::findOrFail($request->validated('event_id'));
+        $event = Event::withoutGlobalScope(\App\Models\Scopes\OrganisationScope::class)
+            ->findOrFail($request->validated('event_id'));
 
         if ($event->isSubEvent()) {
             $event = $event->parent;
         }
 
-        $person = Person::where('user_id', $request->user()->id)
+        // Verify user has a person record for this event (scopes access)
+        $person = Person::withoutGlobalScope(\App\Models\Scopes\OrganisationScope::class)
+            ->where('user_id', $request->user()->id)
             ->where('event_id', $event->id)
             ->with([
                 'crowdType',
@@ -95,13 +98,16 @@ final class PortalMeController extends Controller
 
         $user = $request->user();
 
-        $event = Event::findOrFail($validated['event_id']);
+        $event = Event::withoutGlobalScope(\App\Models\Scopes\OrganisationScope::class)
+            ->findOrFail($validated['event_id']);
 
         if ($event->isSubEvent()) {
             $event = $event->parent;
         }
 
-        $person = Person::where('user_id', $user->id)
+        // Verify user has a person record for this event (scopes access)
+        $person = Person::withoutGlobalScope(\App\Models\Scopes\OrganisationScope::class)
+            ->where('user_id', $user->id)
             ->where('event_id', $event->id)
             ->firstOrFail();
 

api/app/Http/Controllers/Api/V1/ShiftAssignmentController.php

@@ -96,6 +96,7 @@ final class ShiftAssignmentController extends Controller
         Gate::authorize('bulkApprove', [ShiftAssignment::class, $event]);
 
         $assignments = ShiftAssignment::whereIn('id', $request->validated('assignment_ids'))
+            ->whereHas('shift.festivalSection', fn ($q) => $q->where('event_id', $event->id))
             ->with('shift')
             ->get();
 

api/app/Http/Controllers/Api/V1/ShiftController.php

@@ -71,7 +71,8 @@ final class ShiftController extends Controller
     {
         Gate::authorize('assign', [$shift, $event, $section]);
 
-        $person = Person::findOrFail($request->validated('person_id'));
+        $festivalEventId = $event->parent_event_id ?? $event->id;
+        $person = Person::where('event_id', $festivalEventId)->findOrFail($request->validated('person_id'));
         $assignment = $this->shiftAssignmentService->assign($shift, $person, $request->user());
 
         return $this->created(new ShiftAssignmentResource($assignment));
@@ -81,7 +82,8 @@ final class ShiftController extends Controller
     {
         Gate::authorize('claim', [$shift, $event, $section]);
 
-        $person = Person::findOrFail($request->validated('person_id'));
+        $festivalEventId = $event->parent_event_id ?? $event->id;
+        $person = Person::where('event_id', $festivalEventId)->findOrFail($request->validated('person_id'));
         $assignment = $this->shiftAssignmentService->claim($shift, $person);
 
         return $this->created(new ShiftAssignmentResource($assignment));