security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Requests/Api/V1/ImportFromEventRequest.php

@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Http\Requests\Api\V1;
 
-use App\Models\Event;
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
 
 final class ImportFromEventRequest extends FormRequest
 {
@@ -18,24 +18,10 @@ final class ImportFromEventRequest extends FormRequest
     public function rules(): array
     {
         return [
-            'source_event_id' => ['required', 'ulid', 'exists:events,id'],
+            'source_event_id' => [
+                'required', 'ulid',
+                Rule::exists('events', 'id')->where('organisation_id', $this->route('event')->organisation_id),
+            ],
         ];
     }
-
-    public function withValidator($validator): void
-    {
-        $validator->after(function ($validator) {
-            $sourceEventId = $this->input('source_event_id');
-            if (!$sourceEventId) {
-                return;
-            }
-
-            $sourceEvent = Event::find($sourceEventId);
-            $targetEvent = $this->route('event');
-
-            if ($sourceEvent && $targetEvent && $sourceEvent->organisation_id !== $targetEvent->organisation_id) {
-                $validator->errors()->add('source_event_id', 'Source event must belong to the same organisation.');
-            }
-        });
-    }
 }