bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 06:38:19 +02:00
parent 1028498705
commit 090d2b7d89
40 changed files with 603 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
api/app/Http/Controllers/Api/V1/PersonIdentityMatchController.php
View File

@@ -50,6 +50,11 @@ final class PersonIdentityMatchController extends Controller
public function confirm(Request $request, Organisation $organisation, PersonIdentityMatch $personIdentityMatch): JsonResponse
{
// Verify match belongs to this organisation
if ($personIdentityMatch->person->event->organisation_id !== $organisation->id) {
return $this->notFound('Match not found.');
}
Gate::authorize('confirm', $personIdentityMatch);
try {
@@ -65,6 +70,11 @@ final class PersonIdentityMatchController extends Controller
public function dismiss(Request $request, Organisation $organisation, PersonIdentityMatch $personIdentityMatch): JsonResponse
{
// Verify match belongs to this organisation
if ($personIdentityMatch->person->event->organisation_id !== $organisation->id) {
return $this->notFound('Match not found.');
}
Gate::authorize('dismiss', $personIdentityMatch);
try {
@@ -82,7 +92,9 @@ final class PersonIdentityMatchController extends Controller
{
Gate::authorize('bulkConfirm', [PersonIdentityMatch::class, $organisation]);
$orgEventIds = $organisation->events()->pluck('id');
$matches = PersonIdentityMatch::whereIn('id', $request->validated('match_ids'))
->whereHas('person', fn ($q) => $q->whereIn('event_id', $orgEventIds))
->with('person')
->get()
->keyBy('id');