security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 06:38:19 +02:00
parent 1028498705
commit 090d2b7d89
40 changed files with 603 additions and 64 deletions
--- a/api/app/Http/Requests/Api/V1/AssignShiftRequest.php
+++ b/api/app/Http/Requests/Api/V1/AssignShiftRequest.php
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Requests\Api\V1;

 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;

 final class AssignShiftRequest extends FormRequest
 {
@@ -16,8 +17,11 @@ final class AssignShiftRequest extends FormRequest
    /** @return array<string, mixed> */
    public function rules(): array
    {
+        $event = $this->route('event');
+        $festivalEventId = $event->parent_event_id ?? $event->id;
+
        return [
-            'person_id' => ['required', 'ulid', 'exists:persons,id'],
+            'person_id' => ['required', 'ulid', Rule::exists('persons', 'id')->where('event_id', $festivalEventId)],
        ];
    }
 }