bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 06:38:19 +02:00
parent 1028498705
commit 090d2b7d89
40 changed files with 603 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
api/app/Http/Controllers/Api/V1/PortalMeController.php
View File

@@ -21,13 +21,16 @@ final class PortalMeController extends Controller
{
public function index(PortalMeRequest $request): JsonResponse
{
$event = Event::findOrFail($request->validated('event_id'));
$event = Event::withoutGlobalScope(\App\Models\Scopes\OrganisationScope::class)
->findOrFail($request->validated('event_id'));
if ($event->isSubEvent()) {
$event = $event->parent;
}
$person = Person::where('user_id', $request->user()->id)
// Verify user has a person record for this event (scopes access)
$person = Person::withoutGlobalScope(\App\Models\Scopes\OrganisationScope::class)
->where('user_id', $request->user()->id)
->where('event_id', $event->id)
->with([
'crowdType',
@@ -95,13 +98,16 @@ final class PortalMeController extends Controller
$user = $request->user();
$event = Event::findOrFail($validated['event_id']);
$event = Event::withoutGlobalScope(\App\Models\Scopes\OrganisationScope::class)
->findOrFail($validated['event_id']);
if ($event->isSubEvent()) {
$event = $event->parent;
}
$person = Person::where('user_id', $user->id)
// Verify user has a person record for this event (scopes access)
$person = Person::withoutGlobalScope(\App\Models\Scopes\OrganisationScope::class)
->where('user_id', $user->id)
->where('event_id', $event->id)
->firstOrFail();